CN1833403B

CN1833403B - Communication system, communication device and communication method

Info

Publication number: CN1833403B
Application number: CN2004800226604A
Authority: CN
Inventors: 尾崎博嗣; 小川惠子
Original assignee: Individual
Current assignee: Ogawa Keiko
Priority date: 2003-08-08
Filing date: 2004-07-30
Publication date: 2011-05-25
Anticipated expiration: 2024-07-30
Also published as: JPWO2005015827A1; AU2004302108A1; IL173316A0; IN2014DN00130A; AU2004302108C1; US20140115320A1; US8041816B2; CA2534919C; AU2004302108B2; US20120066489A1; US20060190720A1; US20140223169A1; WO2005015827A1; TW200518516A; KR20060059908A; US8799505B2; EP1653660A1; CA2534919A1; TWI362859B; IL173316A

Abstract

In order to strengthen preventing functions of data leakage, falsifying, camouflage, approach and attack without changing a program of a higher rank application, encryption and decryption logic arrangement is carried out on the transmission side and on the reception side and this is offered to a new encryption system TCP2 applied to a payload of a protocol which corresponds to TCP or UDP existing in a transport layer. By employing this TCP2, a cryptograph process communication can be realized by dissolving various kinds of restrictions which a conventional IPsec or SSL possesses without receiving a restriction of a higher rank application and at the same time, by obtaining compatibility in an IP layer.

Description

Communication system, communicator, communication means

Technical field

Safety system in the present invention relates to communicate by letter, be particularly related to the communication system that is used for preventing online data ' leakage ', ' distorting ', ' camouflage ', ' entering ' and ' attack ', particularly realize protocol stack, communicator, the communication means of communication system and be used to realize these computer program.

Background technology

In recent years, as long as network service has the Windows personal computer, it is connected with network, who can visit online computer, so, promptly popularize expansion socially.On the other hand, follow the universal expansion of this network service, hacker or bad visitor (cracker) invade others' computer system, or steal and see software or data, or distort or destroy, and become very big social concern.

As the concrete condition of nuisance, at first, can not use in order to make centring system, have from network and send a large amount of messages, harm system's impairment that computer system is used.When making the main frame overload because of this impairment, system is just at a standstill.

In addition, the password that obtains main frame is arranged, or steal the nuisance of ' the illegal visit and the camouflage ' distorting or destroy of the confidential information or the information of carrying out.In this harms, the information of careless rewriting computer preservation, the doggery of framing the people are arranged.In addition, also be hidden in the specific personal computer and the illegal act of stealing the so-called spyware of personal-machine ciphertext datas such as e-mail address or password.In addition, can not negate the possibility of unlawfully stealing the so-called eavesdropping behavior of seeing the content that is connected the database that computer had on the network as described above continually.

In addition, can not say in website or server operation place and do not have a mind to steal the behavior of personal information fully or the crisis of the cyberterrorism (Cyberterrorism) that the spy in company of hiding etc. carries out.

And then the most proximad others' computer sends the program that makes computer produce fault, i.e. the nuisance of ' virus ' increases.This virus that is sent out can be given the personal computer of own family use by email infection, and infect to all computers in the company in the moment that home personal computer is connected with the computer of company, virus can be destroyed the file in the computer, and then, make whole network paralysis.

Therefore, transmission control protocol/Internet Protocol) or UDP (User Datagram Protocol: in the communication on internet User Datagram Protoco (UDP)) utilizing existing TCP/IP (Transmission ControlProtocol/InternetProtocol:, the Security Architecture of Internet Protocol) or SSL (Secure Socker Layer: coded communication SSL) as the function that prevents data ' leakage ', ' distorting ' etc., use so-called Ipsec (Security Architecture for Internet Protocol:.Generally, in coded communication, Public key (claiming privacy key again) cipher mode and public key encryption mode are arranged, Ipsec uses the public-key encryption mode mostly.Public-key encryption mode and public key encryption mode relatively have the fireballing feature of encryption, deciphering.The public-key encryption mode that this Ipsec uses is the mode of carrying out encryption and decryption with same key, key can either party generate in transmitter side and receiver side, but, in order to use Public key at receiver side and transmitter side, must be very careful when cipher key change, in case content is to external leakage.

The algorithm that the public-key encryption mode is used typically has DES (Data EncryptionStandard: data encryption standard: Public key (privacy key) cryptographic algorithm of American I BM company exploitation).Ipsec also adopts a kind of cryptographic algorithm of this DES as it.Ipsec is with IETF (Internet Engineer Task Force: the internet engineering task group) grow up after the standardization, it is characterized in that, not merely only specific application to be encrypted, but on the IP rank, all communications of sending from main frame are encrypted.Therefore, the user can consider application and carry out safe communication.In addition, Ipsec can not change the structure of itself and change employed cryptographic algorithm, so that deal with use in the future.

Public encryption key as the Ipsec use, can use and be referred to as SPI (SecurityPointer Index: 32 codes safety indicator pointer), as IKE, use IKE (Internet Key Exchange: the Internet Key Exchange).And then Ipsec also prepares to be useful on the agreement AH (AuthenticationHeader: authority's proof) of completeness authentication.

In addition, SSL is the http protocol of the band function of keeping secret of U.S. Netscape company (having merged to AOL company now) exploitation, client and server can utilize it to authenticate mutually on the net, can be to exchanging after the very high information encryption of confidentialities such as credit card information again.Therefore, can prevent to eavesdrop data, transmission attack again (eavesdropping the attack that sends repeatedly again after the online data), camouflage (pretend is to communicate in person) and altered data etc.

The example of the protocol stack the when example of the protocol stack when Figure 25 illustrates the existing coded communication of using Ipsec, Figure 26 illustrate the existing coded communication of using SSL.

The orlop of OSI Reference Model (the 1st layer) is a physical layer, and the 2nd layer is that data link layer, the 3rd layer are network layers, and the 4th layer is transport layer, and the 5th layer is dialogue layer, and the 6th layer is presentation layer, and the superiors' (the 7th layer) are application layers.7 layers in this OSI Reference Model are that communication function is divided into 7 grades, to the functional module of each layer required standard.The layer before of the 5th layer of dialogue layer shown in Figure 25.

Protocol stack be meant each layer of selecting to be used for to realize network function agreement and be the software group that stratiform is piled up.

At first, the notion of OSI Reference Model is described, the 1st layer physical layer is the layer of the physical electrical characteristic of specified signal line or the modulator approach of code etc.But only this layer quilt situation of defining separately, installing is less, usually and the 2nd layer data link layer be defined as the specification etc. of Ethernet for example together.

The 2nd layer data link layer is the layer of receiving/transmission method etc. of packing, physical node address or the packets of information of specified data.This layer is that regulation is used for the layer of agreement of the communication medium switching packets between 2 nodes by physics, to the additional a certain address of each node, according to the transmission destination of this address designated information bag, and sends packets of information on communication medium.As communication medium, various medium such as copper wiring, wireless or optical fiber are arranged.In addition, connect form (topology: be not man-to-man connection also topology), bus-type, multiple connection such as star-like or ring-like are arranged.The packets of information that sends on communication medium is taken into this node in the moment of the node that arrives receiver side, and then gives upper protocol stack.

(Network InterfaceCard: network interface unit) driver is to be used for expansion card that personal computer and printer etc. are connected with Local Area Network to stride across the NIC of physical layer and data link layer configuration.When singly being referred to as network interface card, in most cases be connected with Ethernet.

The node (equipment) that sends data utilizes the idle condition of this NIC driver monitoring cable, begins to send data when cable is idle.At this moment, if a plurality of nodes begin to send data simultaneously, then data clash and are destroyed in the cable, so, end the transmission of two nodes, restart transmission after waiting for one period at random.Therefore, a plurality of nodes can shared 1 cable, communicates each other.

The 3rd layer network layer is the layer of the communication means between any 2 nodes of regulation.If press TCP/IP, be equivalent to the IP layer.In data link layer, can carry out the communication between the node on the consolidated network medium, still, then be the task of this network layer while use its function to carry out between any 2 nodes that exist on the network that Route Selection communicates by letter.Here, Route Selection is meant when selecting best path to send in the TCP/IP network when destination host sends packets of information.For example, in Ethernet, have only between the node on same section and could intercom mutually, but in network layer, between the section of 2 Ethernets, communicate by letter by packets of information is carried out Route Selection.In addition, the Route Selection of packets of information can be not by the network media of physics, and the dialing PPP that selection connects computer and network (Ethernet) by telephone line (Point to Point Protocol: point-to-point agreement) circuit, or the special circuit of optical fiber etc. has been used in selection.In order to reach this purpose, usually, each node is distributed in the address (if TCP/IP then is the IP address) that does not rely on physical medium, and carry out Route Selection in view of the above.Ipsec in this network layer, be that all communications that send from main frame in the IP level are encrypted, so the user can not consider application and carry out safe communication.

The 4th layer transport layer is to realize protocol stack free from error, the virtual communication circuit between 2 processes that are used for carrying out on each node.If TCP/IP then is equivalent to the TCP layer.Though the function at 2 enabling communication between nodes is provided in network layer, using it that free from error virtual communication circuit is provided between 2 processes (application) then is the task of this layer.That is,, can not guarantee that these data can give the other side reliably though in network layer, can send data.In addition, can not guarantee to give the other side with data according to correct order.Therefore, for for using easier use, what free from error virtual communication circuit was provided is exactly this layer.If necessary, can carry out data repeating transmission, recover to handle etc.

This transport layer has also disposed UDP except that TCP, the difference of this UDP and TCP is that TCP is that to have applied the agreement and the speed of compensation data lower, and UDP does not apply compensation data and speed is higher.When transmitting data the communication between computer, mainly use TCP, when as IP phone, transmitting sound or image, use UDP mostly.So far occur as yet being positioned at the example that TCP on the 4th layer the transport layer or udp protocol carry out encryption.

The 5th layer dialogue layer is the layer of regulation dialogue (beginning to sign off from communication) order, is to connect to make it be in the layer of communications status between using.The network address that is configured in socket (Socket) expression on this layer IP address suitable and has carried out as the portal number of the subaddressing of I P address combining with the address of computer in network.When computer is connected each other, must specify socket (combination of IP address and portal number) can carry out afterwards.As shown in figure 26, the SSL as the coded communication technology of existing typical has realized coded communication in this dialogue layer.

The 6th layer presentation layer is to be defined in the technique of expression of dialogue layer (beginning to sign off from communication) institute swap data or the layer of coding, encryption etc.In ICP/IP protocol, be not equivalent to the part of this layer.Usually carry out the processing of data flow by application itself.

In addition, the 7th layer application layer is to be used for the layer of exchanges data between the given application, in ICP/IP protocol, is not equivalent to the part of this layer.Be stipulate for example form of Email or the internal structure of file etc. use between the layer of necessary general data structure etc. during swap data.

Figure 25 is the standard protocol stack that has been equipped with Ipsec, at first, on physical layer (the 1st layer) and data link layer (the 2nd layer) NIC (network interface unit) driver is set.This driver is the driver that is used for making the interface card that hardware such as computer are connected with network, and its content is the data transmit-receive Control Software.For example, it is suitable therewith to be used for the LAN plate or the LAN card that are connected with Ethernet.The 3rd layer network layer exists its part to extend to the IP simulator (emulator) of transport layer (the 4th layer).This part that extends to transport layer is not as the function mounting of transport layer.The function of network layer just is provided to dialogue layer.This IP simulator rises according to purposes and switches agreement and the agreement of not carrying out coded communication, the i.e. effect of IP of using the coded communication of carrying out Ipsec.In addition, the 3rd layer network layer has disposed ARP (AddressResolution Protocol: address resolution protocol).This ARP is to be to calculate MAC as the physical address of Ethernet (Media Access Control: the medium access agreement) employed agreement during the address according to the IP address.MAC is the transmission control technology by uses such as LAN that is referred to as medium access control, as specified data transmitting-receiving unit, i.e. the technology utilization of the form of the receiving/transmission method of frame, frame or error correction etc.

In addition, be provided with the error message of transmission IP or the agreement of control information on this network layer, Internet control Message Protocol) and be used for controlling be ICMP (Internet Control Message Protocol: in order to send same data or to receive same data and the agreement of the host groups that constitutes, i.e. IGMP (Internet Group ManegementProtocol: IGMP) to a plurality of main frames effectively.And, in upper layer transport layer of network layer, disposed TCP and UDP, and then the dialogue layer of position layer has disposed socket (SOCKET) interface thereon.

Figure 26 is the example that has possessed as the standard agreement of the SSL of encryption agreement, is not equipped with Ipsec in network layer, and has been equipped with SSL on socket (dialogue layer).Other agreements are identical with agreement shown in Figure 25.

In existing representational coded communication technology, Ipsec is the technology of receiving and dispatching again after the IP packet is encrypted, and therefore, the application software that goes up bit protocol as utilizations such as TCP or UDP there is no need to use IPsec.

On the other hand, in SSL, on the rank of authentication mutually, use RSA (RivestShamir Adleman: the digital certificate book of public key encryption technology 3 inventors' of public key encryption mode original character), in the encryption of data, use public key cryptography technology such as DES.Because of this SSL is positioned at the 5th layer dialogue layer, so depend on specific application.

The data that Ipsec has realized preventing the 3rd layer (network layer) more the next than OSI the 4th layer (transport layer) by the function of ' leakage ' or ' distorting ' (for example, with reference to R.Atkinson, August nineteen ninety-five, ' Security Architecture for the InternetProtocol ', RFC1825).Relative therewith, the World Wide Web (WWW)) or FTP (File Transfer Protocol: the technology of receiving and dispatching confidentiality information or corporate secret information etc. after file transfer protocol (FTP)) etc. data are encrypted safely SSL is the encryption technology of the 5th layer dialogue layer, is to (the World Wide Web: of widely used WWW on the present internet.

Table 1 is that the function with Ipsec and SSL compares the table of putting down in writing again.As long as have a look at this table, just know that Ipsec and SSL have reciprocal merits and demerits.

For example, in the communication between client and client, the instruction system of SSL and Content of Communication are master slave relations, promptly become the relation of client/server, thereby without server, just can not communicate by letter between client and the client.That is, when utilize SSL with secret data encrypt the back from terminal A when terminal B sends, middle must the process server.Relative therewith, in Ipsec, because of there not being such restriction, so can direct communication.

The function ratio of table 1:Ipsec and SSL

In addition, at PPP (point-to-point protocol) mobile communication environment or ADSL (AsymmetricDigit Subscriber Line: asymmetric digital subscriber line) under the environment, before the coded communication of beginning data, Ipsec is in the exchange of having used the determining of cipher mode, key and authenticate employed agreement mutually, be IKE (Internet Key Exchange: the Internet Key Exchange) in the communication that agreement is carried out, connect destination the other side's authentication.Therefore, under PPP mobile communication environment (long-distance user) or adsl loop border, because of can not fixing the IP address, so use the pattern of the IP address information of communication counterpart between the gateway of Ipsec, can not use master (Main) pattern, the authentication authorization and accounting of the IKE of frequent use the time.Have again, as the countermeasure that addresses this problem, by using challenge (Aggressive) pattern, can id information not used the IP address yet, can use for example user profile to id information, and, specify the other side by in known Public key, using user's password.But, in the challenge pattern,, intactly send plain code so ID does not encrypt owing in the message identical, send the ID that is connected destination the other side with key exchange message.In addition, by utilizing XAUTH (expansion among the Extended Authentication within IKE:IKE proves) can solve the problem of authentication, but, cause is not known the IP address in the setting medium-long range client's of fire compartment wall visit, so must make IKE, IPsec all be set to permission, cause existing the problem on the safety.Even SSL also can communicate under such environment.

In addition, IPsec exist can not with network address translation) or the corresponding problem of IP camouflage NAT (Network Address Translation:.For corresponding therewith, must and for example list other functions of the payload of UDP in and use in the lump.NAT is connected 1 global ip address is shared by enterprise on the internet etc. on many computers technology, is only to make IP address (local address) and the address on the internet (global address) mutual technology that exchanges general in tissue.Can not correspondingly with NAT be because the IP title in the authentication area of AH (AuthenticationHeader: prove title), so this local address and global address can not be changed mutually, can not carry out the communication between the different local addresses of sub-network.

In addition, IP camouflage is the structure that a plurality of clients with secret address in the LAN can access the Internet, if utilize it, because of seeing the terminal that the IP camouflage is moved from outside (internet), so we can say desirable just from security.IPsec can not pretend the ESP that corresponding reason is IPsec (Encapsulating Security Payload: encrypt payload) title with IP and be right after the cause after the IP title.The common router that the IP camouflage has been installed is right after the portal number of judging TCP/UDP after the IP title.Therefore, when process has been installed the router of IP camouflage, because of this portal number has changed, distort, thereby have the problem that to carry out the authentication of main frame so IPsec is judged as.But,, can avoid this problem by the product of the NAT-T (NAT-Traversal) on the payload that utilize to support to be used for to list in UDP.But, when the draft version of NAT-T not simultaneously, even the NAT-T corresponding product can not connect each other.Even SSL also can communicate by letter under such environment.

Relative therewith, for the network cracker who is referred to as hacker or bad visitor TCP/IP is carried out various attacks, is that (Denial of Service: the attack that makes it stop to serve), SSL has no ability to so-called DoS attack.When carrying out to the DoS attack of ICP/IP protocol stack, for example carrying out TCP cut-out attack, cut off the TCP dialogue, thereby stop the service of SSL.IPsec is because of being installed in the 3rd layer (IP layer), so the IP layer has safety function, so, can prevent DoS attack to tcp/ip layer (the 4th layer, the 3rd layer).But, because SSL is mounted in the cryptographic protocol of the last layer (the 5th layer) of tcp/ip layer (the 4th layer, the 3rd layer), so, DoS attack can not be prevented to tcp/ip layer (the 4th layer, the 3rd layer).

And then, the communication under the adverse circumstances for, garble big multiple as physical noise, SSL is more effective than IPsec.That is, IPsec retransmits action and is carried out by upper TCP when detecting mistake.Though TCP gives IPsec with the data of retransmitting, IPsec can not discern the data of this repeating transmission, and has carried out encrypting again.SSL recovers to handle because of carry out mistake in TCP, so can not encrypt same data again.

In addition, in IPsec, can not carry out the communication between the different LAN.Promptly, (Dynamic HostConfiguration Protocol: DHCP) manage by server by the DHCP in the LAN for the allocation manager of the Subnet address in the LAN, so, in LAN, can not distribute same Subnet address, still, when between different LAN, communicating, because of the Dynamic Host Configuration Protocol server that is positioned at LAN separately distributes Subnet address separately, so there is the possibility of distributing same address.Like this, when having distributed same address, IPsec can not communicate by letter.But if set up the IPsec-DHCP server in addition, making it is not that same address manages, and then can communicate.SSL because of being positioned at the 5th layer (dialogue layer) of OSI Reference Model, recovers to handle so the TCP of lower layer can carry out mistake, even also can communicate under adverse circumstances as described above as mentioned above.

In addition, for the communication under the different network environments, IPsec must manage all via node, and change to set, so management role is heavy so that IPsec can pass through.Even SSL under such environment, also can not consider via node environment and communicate.

And then there is the problem that can not connect via a plurality of carriers in IPsec.That is, IPsec must manage all via node, and change to set so that IPsec can pass through, so, can not carry out the connection of a plurality of carriers.For example, when between Tokyo and Osaka, signing a contract, because of not connecting, so need to build in addition expensive industrial siding sometimes with each carrier.Even SSL also can communicate under such environment.

In addition, SSL is not because of supporting the communication of UDP, so can not carry out coded communication to UDP.Because of TCP also only supports specific port, so can not carry out coded communication to all ports of TCP.In contrast, no matter IPsec can both carry out coded communication to UDP or TCP.

And then there is the problem that does not possess at the interchangeability of using in SSL.Using (application) uses socket (the 5th layer) when carrying out Internet traffic as routine interface.Therefore, when using SSL (the 5th layer), use and this socket interface must be changed over the SSL interface.So SSL does not have the interchangeability of application.In contrast, IPsec is because of being positioned under the socket (the 5th layer), thus can directly socket (the 5th layer) be used as routine interface, so, have the interchangeability of application.

In addition, IPsec can be that unit controls with the IP address, and relative therewith, SSL is that unit (URL unit, file unit) controls with the resource.

And then there is largest segment size problem of smaller in IPsec.That is, because of use ESP title and ESP afterbody in IPsec, payload is little, so, can produce part (packet is cut apart), throughput reduces.In addition, in the tcp data bag, because of forbidding part, thus be necessary between terminal and terminal, to hold the environment that pass through of IPsec, and setting can not produce the largest segment size of part.Relative therewith, SSL needn't hold the environment that passes through, so, needn't set the largest segment size.

Above, function according to table 1 couple IPsec and SSL compares, but the TCP2 as agreement of the present invention described later (the login trade mark is applied for) is the epoch-making coded communication agreement that comprises all advantages of IPsec and SSL and then also have lot of superiority.

Summary of the invention

The present invention proposes in view of the above problems, its purpose is to provide a kind of communication system, particularly a kind of protocol stack and the communicator that is associated therewith, communication means and realize their signal procedure, needn't be to using, program is installed ' encryption function ' that is used for preventing to trespass terminal respectively, therefore, needn't regenerate application, program itself, and, can utilize existing plain code and can not communicate with the corresponding communication counterpart of above-mentioned encryption function, and then, even (or do not want situation about using) also can obtain the effect encrypting or authenticate under the environment that can not use IPsec.

In order to address the above problem and to reach purpose of the present invention, communication system of the present invention is that the agreement that adapts with TCP that is positioned at transport layer or UDP is appended the communication system that encryption function communicates again, comprising: be used for judging whether communication counterpart is to have the catenation sequence device that is connected with communication counterpart after the communication counterpart of proper authority; Arrange the agreement device of the encrypting and decrypting logic corresponding with the two ends of communication line; According to the encryption logic of above-mentioned agreement device agreement to as the agreement encryption device that sends again after the encrypting with the payload of above-mentioned TCP or UDP corresponding protocol at least in the packet of the unit of receiving and sending messages; According to the agreement decryption device that the decryption logic of the above-mentioned agreement device agreement agreement after to this encryptions that receives is decrypted, above-mentioned agreement device uses to be judged the communication counterpart that has proper authority and connect with above-mentioned catenation sequence device to the encrypting and decrypting logic of the TCP of transport layer or udp protocol and carries out coded communication.

Therefore, might pass by the encryption alone of non-existent TCP or UDP level, the possibility that the data of the layer on the IP are revealed or distorted reduces greatly.Promptly, the encryption of having removed the IP level is the data behind the IPsec, also carries out the encryption alone of TCP or UDP level, has increased the intensity of encrypting on the meaning of double-encryption, simultaneously, can prevent from effectively to be intended to just carried out the data leak of interface such as interception by the data after the proper deciphering at IP.

In addition, do not have under the encrypted situation at IP, by only TCP or UDP being encrypted, enhanced safety alone.

And then, sometimes,, broadcast capability and the IPsec branch of UDP are opened from viewpoints such as performances, it is worked separately, still, at this moment, the encryption of TCP of the present invention or UDP level is still effective.

Have, the agreement of encrypting and decrypting logic is carried out before being preferably in the encrypting and decrypting logic corresponding with the two ends of communication line again.Here, so-called communication line comprises wireless and wired certainly.Certainly also comprise the method that communicates through satellite.In addition, encryption disc), USB storage or IC chip etc. be movably in the medium, by exchanging the agreement that these medium carry out the encrypting and decrypting logic at transmitting terminal and receiving terminal the agreement of encrypting and decrypting logic of the present invention also comprises the encrypting and decrypting logical storage at floppy disk, CD (Compact Disk:.

In addition, in the present invention, can carry out upper layer, ' entering ' or the identification of illegal communication modes such as ' attacks ' of application layer such as HTTP typically at more the next layer (transport layer).For example; employed agreement encryption device of communication system of the present invention or agreement decryption device and as the combination of the such functional module of damage-protector (Cracking-protector) the in the past detection, discarded and even pass through restraint device of damage model (); by the low lower layer of application layer than upper layer, promptly any one among the TCP of transport layer, UDP and then the IP corresponding with the network layer of its lower floor, ARP, ICMP, the IGMP etc. realizes.These protocol stacks can be realized by ' software and even hardware module ' as single protocol stack.

Therefore, can realize except above-mentioned effect for the function of ' leakage ' that prevent data, ' distorting ', ' camouflage ', ' entering ' or ' attack ', not having repetition or gap, the higher communication system of the ratio of performance to price between the protocol stack.

In addition, communication system of the present invention comprises: the 1st and the 2nd communicator has: by to judging with being used for whether communication counterpart is to have the catenation sequence device that is connected with communication counterpart after the communication counterpart of proper authority making the TCP that is arranged in transport layer or udp protocol append the agreement device that encrypting and decrypting logic that communication system that encryption function communicates uses arranges; And the 3rd communicator that does not have encrypting and decrypting logic agreement device, have of the encryption of the communicator (the 1st communicator and the 2nd communicator) of above-mentioned encrypting and decrypting logic agreement device except TCP or UDP, outside the decryption protocol processing unit, also have to handle and do not have the common TCP of encryption and decryption or the common protocol processes device of UDP, when communicating between the communicator that has encrypting and decrypting logic agreement device at these, use and encrypt, the decryption protocol processing unit communicates, when communicator (the 1st and the 2nd communicator) with when not having the 3rd communication of encrypting and decrypting logic agreement device with encrypting and decrypting logic agreement device, judgement information according to above-mentioned catenation sequence device, utilize the decision of encrypting and decrypting logic agreement device that encryption and decryption are not carried out in this communication, and can utilize common TCP or udp protocol processing unit to communicate.

Therefore, even between communicator that can not be corresponding, also can guarantee communication as before with coded communication of the present invention.

And then, in communication system of the present invention, under situation about the communicator (the 3rd communicator) that does not have the agreement device of arranging the encrypting and decrypting logic being communicated from communicator (the 1st and the 2nd communicator) with the agreement device of arranging the encrypting and decrypting logic, the 1st also can utilize the decision of encrypting and decrypting logic agreement device not carry out and the communicating by letter of the 3rd communicator with the 2nd communicator, also can not carry out and the communicating by letter of the 3rd communicator.

Therefore, aspect the restriction and various security level of communication counterpart, can adopt Security Countermeasures completely.

The present invention and then also comprise the logic alternative device will be by the encrypting and decrypting logical storage that can be used as candidate target of encrypting and decrypting logic agreement device decision at memory and even be installed in the circuit, and regularly changes the content of this storage.

Thus, can regenerate or replace protocol stack itself, and corresponding with new cryptographic algorithm, perhaps reduce to understand risk by changing encryption key.

And then in the present invention, encrypting and decrypting logic agreement device can not encrypted the encrypting and decrypting logic and arrange to handle plain code.

Thus, even the protocol stacks of communication counterpart, for example client side etc. and encryption of the present invention etc. not at once, also can communicate as before.

Have again,, also can bring into play what is called damage-protector (CP) function that prevents ' camouflage ', ' entering ' or ' attack ' even under these circumstances.

The invention provides a kind ofly, comprising: be used for judging whether communication counterpart is to have the catenation sequence device that is connected with communication counterpart after the communication counterpart of proper authority by appending the communication system that authentication function communicates to the agreement that adapts with TCP or UDP; Arrange the completeness authentication agreement device of the completeness authentication logic corresponding with the two ends of communication line; According to the completeness authentication logic of above-mentioned completeness authentication agreement device agreement to as output or the agreement completeness authentication information attachment device that sends again behind the additional completeness authentication information of payload of the agreement that adapts with above-mentioned TCP or UDP at least in the packet of the unit of receiving and sending messages; Completeness authentication logic according to above-mentioned completeness authentication agreement device agreement carries out the completeness authenticate device that completeness authenticates to this agreement of having added the completeness authentication information that receives.

In addition, in the present invention, have and be used for being positioned at the TCP of transport layer or UDP and judge that whether communication counterpart is to have the catenation sequence device that is connected with communication counterpart after the communication counterpart of proper authority and use this TCP or UDP to carry out the 1st being connected with network respectively with the 3rd communicator that does not have completeness authentication agreement device with the 2nd communicator of completeness authentication agreement device of the agreement of completeness authentication in use, the the 1st and the 2nd communicator comprises the completeness authentication protocol processing unit that additional completeness authentication information is handled TCP or UDP again and handles the common TCP of additional completeness authentication information or the common protocol processes device of UDP, the 3rd communicator only has the common protocol processes device that does not have the completeness authentication, (the 1st communicator and the 2nd communicator) is when communicating between the communicator that has completeness authentication agreement device at these, use is communicated by the completeness authentication protocol device that this completeness authentication agreement device has added behind the completeness authentication information, simultaneously, when communicator with completeness authentication agreement device, for example the 1st communicator and the communicator (the 3rd communicator) that do not have a completeness authentication agreement device are when communicating, the not additional above-mentioned completeness authentication information of decision utilizes above-mentioned common protocol processes device to communicate.

In addition, at this moment, when the communicator with completeness authentication agreement device (the 1st with the 2nd communicator) and the communicator (the 3rd communicator) that does not have completeness authentication agreement device when communicate by letter, determine unfavorable the authentication to arrange device and communicate with completeness, can not communicate yet.

In addition, the present invention and then can also comprise completeness authentication logic change device, to be stored in memory by the completeness authentication logic that can be used as candidate target of completeness authentication agreement device decision and even be contained in the circuit, and regularly change the completeness authentication logic of this storage.

And then in the present invention, completeness authentication agreement device also can determine not carry out the additional of completeness authentication information and completeness authentication.

In addition, the invention provides a kind ofly by to appending the communication means that encryption function communicates with the TCP or the UDP corresponding protocol of transport layer, this communication means comprises: using TCP or udp protocol to judge whether communication counterpart is to have the Connection Step that is connected with communication counterpart after the communication counterpart of proper authority; Arrange the agreement step of the encrypting and decrypting logic corresponding with the two ends of communication line in advance; Encryption logic by appointment is to as the agreement encrypting step that sends again after the encrypting with TCP or UDP corresponding protocol at least in the packet of the unit of receiving and sending messages; The agreement decryption step that the agreement of decryption logic by appointment after to the encryption that receives is decrypted when judging that communication counterpart has just when authority in Connection Step, is carried out encryption to the agreement that TCP or UDP with transport layer adapt, and communicates again.

In addition, the invention provides a kind of like this communication means, this method is the 1st communication means when being connected with network respectively with the 3rd communicator with the 2nd communicator, wherein, the the 1st and the 2nd communicator has by the agreement that TCP or UDP with transport layer are adapted and appends the agreement device that the encrypting and decrypting logic used in the communication means that encryption function communicates is arranged, and the 3rd communicator does not have the agreement device that the encrypting and decrypting logic is arranged.Promptly, when communicating between the communicator with agreement device that above-mentioned encrypting and decrypting logic is arranged (the 1st communicator and the 2nd communicator), communicate again after encrypting according to the payload of the agreement that adapts by the encryption logic of above-mentioned agreement device agreement pair and TCP or UDP, simultaneously, when communicator (the 1st and the 2nd communicator) with when not having the encrypting and decrypting logic and arranging the 3rd communication of device with encrypting and decrypting logic agreement device, decision sends after not according to the encryption logic of agreement device agreement the payload of TCP or udp protocol being encrypted again, does not have the common TCP or the udp protocol of encryption logic to communicate and utilize.

In addition, in the communicating by letter of the 1st or the 2nd communicator and the 3rd communicator, the 1st or the 2nd communicator can not determine not communicate because of the 3rd communicator does not possess encrypting and decrypting logic agreement device yet, does not carry out and the communicating by letter of above-mentioned the 3rd communicator.

In addition, can be in memory and even circuit with the encrypting and decrypting logical storage that can be used as candidate target of agreement in above-mentioned encrypting and decrypting logic agreement, and regularly change the content of the encrypting and decrypting logic of this storage.

And then, in this agreement step, can not encrypt and arrange to handle plain code the encrypting and decrypting logic.In addition, communication means of the present invention can and then be included in the step that the agreement step authenticates communication counterpart before.

In addition, the invention provides a kind ofly, comprising: using TCP or udp protocol to judge whether communication counterpart is to have the Connection Step that is connected with communication counterpart after the communication counterpart of proper authority by the agreement that adapts with TCP that is positioned at transport layer or UDP is appended the communication means that authentication function communicates; Arrange the completeness authentication agreement step of the completeness authentication logic corresponding with the two ends of communication line in advance; According to the completeness authentication logic of arranging in the completeness authentication agreement step to as the agreement completeness authentication information additional step that sends again behind the additional completeness authentication information of agreement that adapts with the payload of TCP or UDP at least in the packet of the unit of receiving and sending messages; Completeness authentication logic according to completeness authentication agreement step agreement carries out the agreement completeness authenticating step that completeness authenticates to the agreement of having added this completeness authentication information that receives, when in Connection Step, judging communication counterpart and have just when authority, behind the above-mentioned TCP or the additional completeness authentication information of udp protocol that are positioned at transport layer, communicate again.

And then, the invention provides a kind of like this communication means, that is: be used for being positioned at the TCP of transport layer or UDP and judge that whether communication counterpart is to have the catenation sequence device that is connected with communication counterpart after the communication counterpart of proper authority and use this TCP or UDP to carry out between the communicator (the 1st and the 2nd communicator) of completeness authentication agreement device of agreement of completeness authentication or have the communicator of above-mentioned completeness authentication agreement device and do not having to communicate by network between the 3rd communicator of completeness authentication agreement device having in use.The feature of this communication means is: when the communicator that the completeness authentication protocol has been installed (for example the 1st communicator) and the communicator that the completeness authentication protocol has been installed equally (for example the 2nd communicator) when communicating by letter, judgement information according to the catenation sequence device, and send again after utilizing completeness authentication agreement device to carry out the completeness authentication protocol of handling the TCP that added the completeness authentication information or UDP handled, when the 1st or the 2nd communicator that the completeness authentication protocol has been installed with when the 3rd communication of above-mentioned completeness authentication protocol is not installed, completeness authentication agreement device is according to the judgement information of catenation sequence device, the not additional completeness authentication information of decision, and after handling the common protocol processes of common TCP or UDP, communicate again.

Have, the 1st or the 2nd communicator is not when possessing the 3rd communication of completeness authentication agreement device again, and the 1st or the 2nd communicator can not communicate because of above-mentioned the 3rd communicator has completeness authentication agreement device.

In addition, in the present invention, can and then comprise: will be used for the completeness authentication logic of completeness authentication information of the additional candidate target that can be used as agreement in completeness authentication agreement step is stored in memory and even is installed in step in the circuit; And the completeness authentication logic change step that regularly changes the content of this storage or installation.In addition, also comprise: authentication communication the other side's step before completeness authentication agreement.

Description of drawings

Fig. 1 is the figure of the TCP2 protocol stack of expression communication system use of the present invention.

Fig. 2 has been to use the pie graph of whole system of the 1st example (TCPsec EC use) of the communication system of TCP2 of the present invention.

Fig. 3 has been to use the pie graph of whole system of the 2nd example (broadcasted application of UDPsec) of the communication system of TCP2 of the present invention.

Fig. 4 is the packet structure of 3 protocol stacks among the expression TCP2 of the present invention and the figure of encryption and authentication area thereof.(a) and (b), (c) are respectively the figure of the packet structure of expression TCPsec/IPsec, TCPsec/IP, UDPsec/IP and each encryption scope, completeness authentication application range.

Fig. 5 is the flow chart of expression as the passive open treated of the TCP/TCPsec of the example of TCP2 of the present invention.

Fig. 6 is the flow chart of expression as the active open treated of the TCP/TCPsec of the example of TCP2 of the present invention.

Fig. 7 is the host A (initiatively open) of expression standard TCP and TCPsec of the present invention and the sequence chart of the communication exchange between the host B (passive opening).

Fig. 8 is the flow chart of the details of the passive open treated S 5 of the TCP of presentation graphs 5.

Fig. 9 is the flow chart of details of the passive open treated S6 of TCPsec of presentation graphs 5.

Figure 10 is the TCP flow chart of the details of open treated S12 initiatively of presentation graphs 6.

Figure 11 is the TCPsec flow chart of the details of open treated S13 initiatively of presentation graphs 6.

Figure 12 is the flow chart of details of the TCPsec transmitting-receiving treatment S 76 of the TCPsec transmitting-receiving treatment S 37 of presentation graphs 9 and Figure 11.

Figure 13 is the flow chart of details of the passive connection processing S48 of TCPsec of presentation graphs 9.

Figure 14 is the TCPsec flow chart of the details of connection processing S88 initiatively of expression Figure 11.

Figure 15 is the flow chart of expression as the UDP/UDPsec open treated of the example of TCP of the present invention.

Figure 16 has been to use the sequence chart of UDP/UDPsec clean culture (unicast) communication of TCP2 of the present invention.

Figure 17 has been to use the sequence chart of the UDP/UDPsec broadcast communication of TCP2 of the present invention.

Figure 18 is the flow chart of details of the UDP open treated S124 of expression Figure 15.

Figure 19 is the flow chart of details of the UDPsec open treated S125 of expression Figure 15.

Figure 20 is the flow chart that the UDPsec broadcast reception of expression Figure 19 begins the details of treatment S 141.

Figure 21 is the flow chart that the UDPsec clean culture of expression Figure 19 sends the details of beginning treatment S 146.

Figure 22 is the flow chart of details of the UDPsec data transmit-receive treatment S 144 of expression Figure 19.

Figure 23 is the flow chart that the UDPsec clean culture of expression Figure 19 receives the details of beginning treatment S 137.

Figure 24 is used for illustrating with TCP2 of the present invention and has used the situation of existing IPsec or SSL to compare the figure of the advantage that is drawn.

Figure 25 is the figure that the standard communication protocol stack of existing IPsec has been used in expression.

Figure 26 is the figure that the standard communication protocol stack of existing SSL has been used in expression.

Embodiment

Below, the example of the invention process form is described with reference to Fig. 1～Figure 24.

Fig. 1 is the figure of the protocol stack that uses in the example of expression cryptographic communication system of the present invention.

The protocol stack that the present invention uses is gone up the driver 11 of configuration NIC (network interface unit) as shown in Figure 1 at the layer of physical layer that is equivalent to the OSI7 layer (the 1st layer) and data link layer (the 2nd layer).This driver is to be used for the driver of interface card that hardware such as computer are connected with network as mentioned above, and its content is the data transmit-receive Control Software.For example, it is suitable therewith to be used for the LAN plate or the LAN card that are connected with Ethernet.

The 3rd layer network layer exists a part to extend to the IP simulator (emulator) 3 of transport layer (the 4th layer).Part in above-mentioned extension is not installed transfer function.Dialogue layer only provides the function of network layer.This IP simulator 3 has been to be used for switching the agreement of carrying out coded communication according to purposes, and promptly ' IPsec on CP ' 13b is with ' IP on CP ' 13a goes forward side by side and exercises the effect of usefulness.Here, ' on CP ' expression damages-protector (CP:cracking-protector) to ' entering ' ' attacks ' monitor, discard, the object of cut-out and even restricted passage, or represent to pass through the available state of setting.

In addition, disposed ARP on CP (Address Resolution Protocolon Cracking Protector: the address resolution protocol in the damage-protector) on the network layer.This ARPon CP is when obtaining MAC as the physical address of Ethernet (Media Access Control: medium access control) employed agreement during the address according to possessing at the IP address of bad visitor's (Cracker) protection countermeasure.MAC is known as transmission control technology medium access control, use in LAN etc., and as a kind of transmitting-receiving unit of specified data, promptly the technology of the form of the receiving/transmission method of frame or frame, error correction etc. is used.

Here, IP simulator 13 is software or the firmwares that are used for making the stack of various safety function of the present invention and existing IP periphery to be complementary.Promptly, be to transmit the error message of IP or the agreement of control information, be ICMP (Internet Control Management Protocol: Internet control Message Protocol) 14a, be to be used for controlling in order to send effectively to a plurality of main frames or to make it receive same data and the main frame group's that constitutes agreement, be that (Internet GroupManagement Protocol: 14b internet group's management agreement) is to be used for connecing 17 software, firmware and even the hardware (electronic circuit, electronic component) that mate with TCP15, UDP16 and then with socket (SOCKET) to IGMP.Utilize this IP simulator 13, can be additional, the front and back of authentication etc. adapt to processing in the encryption of IPsec, deciphering and necessary authentication information.

On the transport layer (the 4th layer) on these IP simulator 13 upper stratas, TCP simulator 15 and UDP simulator 16 have been disposed.TCP simulator 15 play a part to be used for according to purposes switch as the agreement of carrying out coded communication ' TCPsec on CP ' 15b and as common communication protocol ' TCPon CP ' 15a goes forward side by side and exercises usefulness.Equally, 16 of UDP simulators are used for switching the agreement carry out coded communication according to purposes, promptly ' UDPsec on CP ' 16b and as common communication protocol ' UDP on CP ' 16a goes forward side by side and exercises the effect of usefulness.

The point of tool feature of the present invention is: the coded communication agreement of on this transport layer (the 4th layer) TCPsec 15b and UDPsec 16b being installed.To narrate in the back about TCPsec15b and UDPsec16b.

Being provided with agreements such as carrying out TCP and UDP on the dialogue layer (the 5th layer) on the upper strata of this transport layer (the 4th layer) carries out the socket (socket) of exchanges data and connects 17.This socket as mentioned above, the expression computer has will be suitable with the address in the network the IP address and get up and the network address that obtains as the port number combinations of the subaddressing of IP address, in fact, constitute by gathering the single software program module (executive program etc.) that appends and even delete or the single hardware module (electronic circuit, electronic component etc.) of carrying out a succession of title.

This socket interface 17 and then unified access mode from upper application (EC shown in Figure 2 use and broadcasted application shown in Figure 3 etc.) is provided is so that keep at aspects such as the kind of variable, types and pass by the same interface.

TCP simulator 15 has in transport layer and prevents data leak and the function of distorting, promptly have the TCPsec15b that allocation of packets is given functions such as having encryptions, completeness authentication and the other side authenticate and do not possess such encryption, completeness authenticates and the other side authenticates etc. among the common agreement TCP15a of function either party function.In addition, because of TCPsec15b and TCP15a have damage-protector (CP),, can realize defense function to ' entering ' ' attack ' that causes because of damage so select wherein either party.TCP simulator 15 plays the effect with the socket interface of upper layer.

In addition, as mentioned above, TCP has wrong compensate function, and UDP does not have wrong compensate function, and still, the transfer rate of UPD is very fast, and has broadcast capability.UDP simulator 16 is the same with TCP simulator 15, have and prevent data leak and the function of distorting, promptly have the TCPsec16b that allocation of packets is given functions such as having encryptions, completeness authentication and the other side authenticate and do not possess such encryption, completeness authenticates and the other side authenticates etc. among the common agreement TCP16a of function either party function.

As shown in Figure 1, by insert 17, TCP simulator 15, UDP simulator 16, ' TCPsecon CP ' 15b, ' UDPsec on CP ' 16b, ' TCPsec on CP ' 15a, ' UDPsecon CP ' 16a, ' I CMP on CP ' 14a, ' IGMP on CP ' 14b, IP simulator 13, ' IP on CP ' 13a and ' protocol stack that ARP on CP ' 12 constitutes is the protocol stack that is used for carrying out encryption of the present invention, below, this protocol stack is referred to as TCP2 (applying for logining trade mark).Have again, among the TCP2, can comprise ' IPsecon CP ' 13b, but also can comprise ' IPsec on CP ' 13b.

TCP2 of the present invention is by installing CP (damages-protector) to the standard agreement of TCP, UDP, IP, IPsec, ICMP, IGMP, ARP, can prevent to communicate by letter to the attack of each protocol stack and comes the attack (Trojan Horse, program distort, formally user's illegal use) of self-application, program.In addition, TCP simulator 15 is installed in TCP2, this TCP simulator 15 so look from socket (Socket) 17 that is positioned at dialogue layer and the IP simulator 13 that is positioned at network layer, can be regarded its outside as the thing same with standard TCP because of having interchangeability.In fact, as the function of TCP2, switch and carry out TCP and TCPsec.TCPsec is the encryption and the authentication function of transport layer of the present invention.

In addition, equally, UDP simulator 16 has been installed in TCP2, this UDP simulator 16 is because of having interchangeability, so look, can regard its outside as the thing same with standard UDP from socket (Socket) 17 that is positioned at dialogue layer and the 1P simulator 13 that is positioned at network layer.In fact, as the function of TCP2, switch and carry out UDP and UDPsec.UDPsec is the encryption and the authentication function of transport layer of the present invention.

Secondly, illustrate, promptly prevent the TCPsec15b and the UDPsec16b of ' data leakage ' function as the function of particular importance among the TCP2.

As the encrypting and decrypting method that is used for TCPsec15b and UDPsec16b (algorithm, logic), use known privacy key (Public key) cryptographic algorithm.For example, use nineteen sixty for the DES as the secret key encryption algorithm of IBM Corporation's exploitation (Data EncryptionStandard: data encryption standard) or as the 3DES of its modified version.In addition, as other cryptographic algorithm, also use the James L.Massey of the Switzerland college of engineering in 1992 and IDEA (International Data EncryptionAlgorithm: IDEA) that Xuejia Lai delivers.This cryptographic algorithm is that the piece that the data field is divided into 64 bits is carried out method of encrypting again, and the length of encryption key is 128 bits.This design has very strong security performance for linearity deciphering method or the difference deciphering method that can decipher Private Key Cryptography effectively.

In addition, as the TCPsec15b of the present invention's use and the cipher mode of UDPsec16b, the rapid data cryptographic algorithm), MISTY, AES (Advanced Encryption Standard: cipher mode Advanced Encryption Standard) can also utilize and be referred to as FEAL (Fast data Encipherment Algorithm:, in addition, also can utilize the encrypting and decrypting algorithm of the secret of finishing alone.Here, FEAL is the cipher mode of NTT Co., Ltd.'s (at that time) exploitation, is the privacy key type cipher mode that same key is used in encryption and decryption.This FEAL compares with DES, has the advantage that can carry out encryption and decryption fast.

Secondly, be the cipher mode of the privacy key type of Mitsubishi Electric Corporation's exploitation as the MISTY that makes cipher mode used in this invention equally, the same with IDEA, the piece that the data field is divided into 64 bits is encrypted again.The length of key is 128 bits.Can use on the same program this point identical in encryption and decryption with DES etc.This mode also is designed to have very strong security performance for linearity deciphering method or the difference deciphering method that can decipher Private Key Cryptography effectively.

In addition, AES is by selected U.S. government of standard technique office of US Department of Commerce Standard Encryption mode of future generation, is the cipher mode that develops of the encryption standard of future generation of Standard Encryption mode DES at present as an alternative.From several cipher modes of in worldwide, raising, selected the mode that be referred to as Rijndael of in October, 2000 for use by Belgian password developer Joan Daemen and VincentRijmen exploitation.

Like this, as the cipher mode of TCPsec15b of the present invention and UDPsec16b, except the cryptographic algorithm that can adopt known various privacy keys, privacy key (Public key) cipher mode that also can utilize the user to develop alone.

And then, as the method that is used for preventing what is called ' camouflage ' and ' the other side authenticate ' and ' completeness authentication ' such as ' altered datas ', can use and utilize Public key or the secret in advance algorithm of sharing (Pre-shared), information classification 5), SHA1 (Secure Hash Algorithm 1: identifying algorithm such as SHA 1) for example, MD5 (Message Digest:.In addition, also can not use such identifying algorithm of generally acknowledging, and the algorithm of one-way function that adopted independent utilization.

Whether this MD5 is authentication or a kind of hash function (the unidirectional function that gathers) of using during digital signature, produces the hashed value of regular length according to original text, at the two ends of communication line they is compared, thus, can detect in the communication way original text and be distorted.The such value of this Hash functional value capture simulation random number, the original text of can not regenerating thus.Also be difficult to finish other information that generate same Hash value.

A kind of hash function that SHA1 uses when also being authentication or digital signature, generate the hashed value of 160 bits according to the original text below 2 the 64 power bits, whether the two ends at communication line compare them, thus, can detect in communication way original text and be distorted.IPsec as the representative of the coded communication of existing internet has also adopted this identifying algorithm.

Have again, for these identifying algorithms, can be designed to be able to utilize DH (Diffie-Hellman) Public key apportion design or and same IKE (the Internet Key Exchange) agreement of IPsec (UDP No. 500) wait and carry out safe cipher key change, and, can utilize protocol driver program (TCPsec15b, UDPsec16b etc.) to dispatch, so that can change encryption/completeness identifying algorithm (logic) itself termly or be used for the set/domain of definition of its key.

Secondly, the coded communication of the cipher mode TCP2 (particularly TCPsec) that has used the present invention's the 1st example is described according to Fig. 2.Fig. 2 is specially adapted to be applied in EC (Electronic Commerce: the ecommerce) example of the communication in the application.

Fig. 2 be the expression client terminal 3a, the 3b that are connected the EC on the network 20 and use, 3c through so-called router or as the gateway network control machine 2 be connected another network 30 on the figure of the integral body formation of master computer (playing the communicator of so-called server) when being connected.

In the client terminal 3a that is connected with network 20, client terminal 3b and client terminal 3c,

client terminal

3b and 3c do not install TCP2 of the present invention.That is,

client terminal

3b and 3c do not install agreement TCPsec and the UDPsec as cipher mode of the present invention yet.Support the client terminal of TCP2 to have only 3a.And, for client terminal 3b, utilize the not shown network policy to set and carry out the connection of common protocol processes, promptly, for the TCP rank, do not prevent ' data leak ' encryption function, prevent the completeness authentication function of ' data tampering ' and being connected of the other side's authentication function that prevents ' camouflage '.

For any client terminal 3a～3c, the application software that EC uses all has been installed on the upper strata of socket (Socket).In addition, the master computer 1 that is connected with network 30 is equipped with TCP2, on the upper strata of this socket 17 EC application software 18 has been installed.In Fig. 2, omit obsolete agreements such as UDPsec, but in the structure of the protocol stack of this master computer 1, the structure that the protocol stack of all pie graphs 1 has been installed, the i.e. software of TCP2.

That is, at first,, ARP (address resolution protocol) 12 and IP simulator 13 have been disposed on the network layer of layer (the 3rd layer) thereon across the 1st layer (physical layer) and the 2nd layer (data link layer) configuration NIC driver.Then, configuration TCP simulator 15 and UDP16 on the 4th layer transport layer.It is to use because of the coded communication of using as the EC to the 1st example to think that mistake compensates the prior TCPsec of specific rate that Fig. 2 does not have the record of UDP simulator (comprising UDPsec and UDP).This does not mean that master computer do not install UDPsec.As mentioned above, TCP2 being installed just means UDPsec and TCPsec has been installed.

Between client terminal 3a, the 3b, the 3c that are connected network 20 be connected the protocol stack of the net control device 2 between the master computer 1 of network 30, constitute by the firmware (electronic circuit of band nonvolatile memory) of having been piled up NIC driver, ARP, IP as stack.

In addition, client terminal 3a is a terminal of supporting TCP2 of the present invention, but here, the terminal as having only corresponding with TCPsec communicator shows protocol

stack.Client terminal

3b and 3c do not support TCP2 of the present invention.

To client terminal 3a, the protocol driver software of in advance distributing has been installed by network or the recording medium as CD-ROM.In addition, to client terminal 3b and client terminal 3c too, distribute in advance and protocol driver software is installed.

Especially, client terminal 3c has been installed IPsec as existing cipher mode, still, because of net control device (router) 2 has carried out with reference to the IP camouflage of tcp port number, so can not use IPsec effectively.And then, utilize the not shown network policy to set the connection request of having abolished client terminal 3c.Have again, for confirming whether (receiving the analysis of packet etc.) has installed the setting and even the agreement itself of such network policy, because be the thing of generally knowing in the industry, so omit its explanation in this manual.

When master computer 1 is communicated by letter with client terminal 3a, utilization communicates based on the encrypting and decrypting agreement of TCP2 of the present invention, particularly TCPsec, when master computer 1 is communicated by letter with

client terminal

3b or 3c, then do not carry out encrypting and decrypting agreement based on TCP2 of the present invention (particularly TCPsec), that is, utilize common Transmission Control Protocol to communicate.When master computer 1 is communicated by letter with the client terminal 3c that supports IPsec, certainly carry out the coded communication of IPsec.Have again, though master computer 1 want communicate by letter with

client terminal

3b or 3c that TCP2 is not installed, the effect of the TCP2 that has because of master computer 1, also can making communicates by letter stops.

In addition, in this example, master computer 1 and client terminal 3a have carried out the exchange of encryption and decryption logics by network, can certainly use removable medias such as FD, CD or UDB memory, in advance exchange encrypt deciphering agreement logic between communicating pair.

Secondly, illustrate according to Fig. 3 the present invention's the 2nd example use the coded communication of the UDPsec cipher mode among the TCP2.The integral body that Fig. 3 illustrates the client terminal 4a, the 4b that are used for the broadcasted application that is connected with

network

20,4c and is connected to master computer (communicator with function of so-called server) 1 communication system that communicates on other the network 30 through so-called router or the network control machine 2 as the gateway constitutes.

Fig. 3 shows the protocol stack of

client terminal

4a, 4b, 4c and master computer 1, but supports that the client terminal of TCP2 is 4a and 4b.That is, have only terminal 4a and 4b to possess UDPsec.The application software of broadcasting usefulness has been installed on socket (Socket) upper strata of each client terminal.In addition, the master computer 1 that is connected with network 30 also is equipped with TCP2, on the upper strata of its socket 17 broadcasted application software 19 has been installed.The master computer 1 of Fig. 3 is also same with the master computer 1 of Fig. 2, and formation all softwares as the TCP2 of the protocol stack structure of Fig. 1 have been installed.

The protocol stack of protocol stack that master computer 1 is possessed and the master computer of Fig. 21 is roughly the same, but is to have UDP simulator 16 to replace the TCP simulator with the protocol stack difference of the master computer 1 of Fig. 2.This is because the mistake compensation that transmits with data in order to handle data such as a large amount of image in broadcasted application software is compared and more paid attention to speed ability.

Constitute by the firmware (electronic circuit of band nonvolatile memory) of having piled up NIC driver, ARP, IP as stack between the protocol stack that is connected to the net control device 2 between

client terminal

4a, 4b, 4c that network 20 connects and the master computer 1 that is connected to network 30.

In addition, client terminal 4a is a terminal of supporting TCP2 of the present invention, but here, is the terminal with only corresponding with UDPsec communicator, and client terminal 4b is and UDPsec of the present invention and the corresponding communicator of well-known IPsec.This client terminal 4c does not support TCP2 of the present invention.Client terminal 3a～3c of these client terminals 4a～4c and Fig. 2 is same, by network or the recording medium as CD-ROM the protocol driver software that in advance distributes has been installed.

In addition, especially for the encrypting and decrypting logic that is used for preventing ' data leak ' and be used for preventing the authentication information of ' data tampering ' additional-authentication logic, be necessary between master computer 1 and

client terminal

4a, 4b, 4c, to carry out correspondence.Also can use with the same policy of well-known so-called IPsec and arrange, in the 2nd example of the present invention, cause is distributorship agreement driver software itself in advance, thus can utilize more succinct agreement alone to remove to arrange privacy key etc., or use the simpler packet of structure.In addition, also can not enroll well-known encrypting and decrypting and identifying algorithm, and the encrypting and decrypting that will finish alone and identifying algorithm (logic) itself enrolls as software module of protocol driver etc.

Have again, though client terminal 4c does not install TCP2, because of the well-known IPsec that the internet uses has been installed, so can carry out secure communication to a certain degree thus.But

client terminal

4a and 4b be not because as the performance of the broadcasted application of object and even the reason of safety policy aspect, install IPsec, and install and use the UDPsec as the inscape of TCP2 of the present invention.Not using IPsec and using the reason of UDPsec is because IPsec itself is fragile, for example makes decreased performance etc. owing to IPsec udp port number part (belonging to IP payload) being encrypted.

In addition, by will judge communication counterpart whether correct the other side's authentication protocol embed TCP2 of the present invention TCP or udp protocol stack, be among TCPsec or the UDPsec, thereby can realize the communication counterpart authentication function, and needn't between communicating pair, consider upper application.At this moment, can in the scope that does not increase cost, increase the number or the length of data package of the packet of substantial communication.

In addition, especially in being implemented in network when not specific a plurality of objects send the broadcast capability of data, under the situation of use as the UDPsec of cipher mode of the present invention, the client terminal 3a, the 3b that receive broadcasting begin to confer (agreement), and obtain communication counterpart authentication or communication privacy key.Then,

client terminal

3a, 3b the authentication that communicates the other side and obtain communication with privacy key before, can not decipher data by the UDPsec of master computer 1 dispensing.

Secondly, structure and the encryption scope and the completeness authentication application range of the packet that use the of the present invention the 1st and communicating by letter of the 2nd example are received and dispatched are described according to Fig. 4.

Fig. 4 (a) illustrates the packet structure of TCPsec/IPsec and each encryption scope and completeness authentication application range, and Fig. 4 (b) (c) illustrates packet structure and each encryption scope and the completeness authentication application range of TCPsec/IP, UDPsec/IP respectively.

Shown in Fig. 4 (a), the packet structure of TCPsec/IPsec is: be right after the ESP title 42 that IP title 41 is provided with IPsec afterwards, the additional information 44 of TCP title 43 and TCPsec then is set, next be application data 45, and, the information of enciphered datas such as the data break that produced by block encryption and gap length, next subject number is supported in configuration after application data 45, i.e. after this additional afterbody 46 of TCPsec disposes the additional authentication data 47 of TCPsec.Then, the additional afterbody 48 of ESP and the ESP verify data 49 that are used for IP in configuration thereafter.

Wherein the part by

sequence number

41,42,48,49 expressions is the information that IPsec uses, sequence number the 43,44,46, the 47th, the information related with TCPsec of the central role of a TCP2 of the present invention.Have again, here, though TCPsec also is to be the configuration of benchmark with IPsec, but because the encryption adopted or the algorithm difference of authentication, the additional information 44 of Therefore, omited TCPsec and additional afterbody 46 perhaps reduce the additional authentication data 47 of TCPsec, nonetheless, also can use in the same old way.

In the packet structure of the TCP2 shown in Fig. 4 (a), use TCPsec and IPsec dual mode to encrypt.At this moment,, at first encrypt TCPsec at transmitter side, additional again TCPsec verify data, secondly, encryption IP sec, additional again IPsec verify data.Next, at receiver side, at first decipher IPsec, utilize the checking of IPsec verify data to receive the data of packet again, secondly, deciphering TCPsec utilizes the checking of TCPsec verify data to receive the data of packet more earlier.

Like this, in data such shown in the image pattern 4 (a), use IPsec and two kinds of cryptographic algorithm of TCPseC to encrypt with packet structure, and then carry out completeness authentication, so, compare with having only IPsec, can set up a kind of for firm especially cryptographic communication systems such as outside invasion.The scope of encrypting by TCPsec comprises the part of application data 45 and the additional afterbody 46 of TCPsec, and the authentication area of TCPsec is except above-mentioned encryption scope and then also comprise TCPsec additional information 44.Have, the encryption scope that existing IPsec encrypts comprises that from the part of TCP title 43 to ESP afterbodys 48 its authentication area is the scope from ESP title 42 to ESP afterbodys 48 again.

Fig. 4 (b) illustrates the structure of the packet of TCPsec/IP, and is different with Fig. 4 (a), is right after after the IP title 41, and configuration TCP title 43 and TCPsec additional information 44 then dispose application data 45 again.The information of enciphered datas such as the data break that produced by block encryption and gap length, next subject number, the i.e. additional authentication data 47 of additional afterbody 46 of TCPsec and TCPsec are supported in configuration after application data 45.

Here, sequence number the 43,44,46, the 47th, the characteristic information of TCPsec.Just, as mentioned above, these information can be according to the encrypted/authenticated algorithm that is adopted, or is dispersed in the untapped header field part etc. of TCPsec/IP, or by can not according to each packet carry out inverse operation, supposition independently in advance agreement (negotiation) omitted.In addition, by being made, the protocol fields of not using the TCP be equivalent to IP layer upper strata and IP is used for such TCPsec/IP packet shown in the pie graph 4 (b), thereby can reduce length of data package simply, make it than only being conceived to the more IPsec length of data package weak point of the IP of lower floor.Have, here, the scope of encryption comprises that application data 45 and TCPsec add afterbody 46 as shown in the figure again, and authentication area also comprises the additional information 44 of TCPsec except above-mentioned encryption scope.

Fig. 4 (c) illustrates the packet structure of UDPsec/IP of the present invention, and additional afterbody 46a of UDPsec additional information 44a, UDPsec and UDPsec additional authentication data 47a are the necessary informations of supporting UDPsec.Its encryption scope comprises that application data 45a and UDPsec add afterbody 46a as shown in the figure, and authentication area also comprises the additional information 44a of UDPsec except above-mentioned encryption scope.

Secondly, used the action of encryption system of the TCPsec of the present invention's the 1st example according to Fig. 5～Fig. 6, Fig. 8～flow chart shown in Figure 14 and sequence chart shown in Figure 7 explanation.

Fig. 5 be TCP and TCPsec passive opening (be equivalent to Fig. 7 host B etc. opening to be connected, for example, Web server is open under this state) flow chart handled, when medium to be connected when open, begin the passive open treated of this TCP/TCPsec (step S1) in upper application program.Have, if press Fig. 7, this part is equivalent to the processing of host B side again.

The parsing of the portal number of at first, opening (step S2).In this is resolved, for example, if Web server then uses the 80th of tcp port to confirm this definition status.Secondly, judge whether this portal number 80 allows the passive opening (step S3) of TCPsec.In step S3, when not allowing TCPsec passive open, judge whether to allow the passive opening (step S4) of TCP again.When the passive opening of TCP in determining step S4 did not allow yet, then TCPsec and TCP did not allow, the passive open failure of TCP/TCPsec, Interrupt Process (step S7).

When in determining step S4, allowing TCP passive open,, when permission TCP passive open, then carry out the passive open treated of aftermentioned TCP shown in Figure 8 (step S5) though promptly do not allow the passive opening of TCPsec.

When the enable state of the passive opening of in determining step S3, having confirmed TCPsec, carry out the passive open treated (step S6) of aftermentioned TCPsec shown in Figure 9 equally.

When the passive open treated of passive open treated of TCP among step S5 or the step S6 or TCPsec finishes, the passive open treated of constipation bundle TCP/TCPsec (step S7).Like this, in this example, begin to carry out passive opening from upper application, still,, then utilize TCPsec to communicate,, then utilize TCP to communicate if do not support TCPsec if support TCPsec according to the judgement of TCP2 by TCP.

Secondly, the active open treated of TCP of the present invention and TCPsec is described according to Fig. 6.The active opening of TCP/TCPsec is the opening that request connects, and for example, the client terminal that Web browser has been installed becomes opening under this state.Press Fig. 7, the processing of host A side is suitable therewith.Fig. 6 is this initiatively open process chart, when having implemented the connection request opening in upper application program, just begins the active open treated (step S8) of this TCP/TCPsec.

The parsing of the portal number of at first, opening (step S9).In this is resolved, for example, when the client terminal application that Web browser has been installed wants to use tcp port number 3000, confirm the definition status of tcp port number 3000.

Secondly, judge the active open (step S10) that whether this portal number 3000 is allowed TCPsec.In step S10, when judgement does not allow initiatively opening of TCPsec, judge whether to allow the active open (step S11) of TCP again.When the active of TCP in determining step S11 is open when also not allowing, then TCPsec and TCP are initiatively open does not allow, and connection processing (step S14) is interrupted in the initiatively open failure of TCP/TCPsec.

When in determining step S11, allowing initiatively open of TCP, though when promptly not allowing initiatively the opening of the open permission of active TCP of TCPsec, then carry out the active open treated (step S12) of aftermentioned TCP shown in Figure 10.

When the open enable state of the active of in determining step S10, having confirmed TCPsec, carry out the active open treated (step S13) of aftermentioned TCPsec shown in Figure 11.When the active open treated of active open treated of the TCP among step S12 or the step S13 or TCPsec finished, constipation bundle TCP/TCPsec is open treated (step S14) initiatively.The situation that TCP/TCPsec is initiatively open is the same with the situation (Fig. 5) of passive opening, and it is open to begin to carry out active by TCP from upper application, still, if TCPsec is supported in the judgement according to TCP2, then utilize TCPsec to communicate,, then utilize TCP to communicate if do not support TCPsec.

Secondly, according to Fig. 7, just the series processing between the host B of the host A of active open sides and passive open sides illustrates the communication process of having used TCPsec of the present invention.

Fig. 7 is catenation sequence, data communication sequence and shutoff sequence when having used encryption agreement TCPsec of the present invention and the figure shown in the standard TCP contrast.Fig. 7 (a) illustrates the communication sequence when having used standard TCP, and Fig. 7 (b) illustrates the communication sequence that has used TCPsec of the present invention.

Shown in Fig. 7 (a), in standard TCP, the passive opening of TCP is carried out in the application of host B, and the application of host A is carried out the active of TCP and opened.

If the passive opening of TCP is carried out in the application of host B, then begin the passive open treated of TCP (with reference to step S5 and Fig. 8 of Fig. 5), wait for reception as described later shown in the step S15 of Fig. 8 like that.If it is initiatively open that TCP is carried out in the application of host A, then begin initiatively open treated (with reference to step S12 and Figure 10 of Fig. 6) of TCP, shown in the step S52 of Figure 10, send connection request (SYN) to host B as described later from host A.Thus, the catenation sequence of standard TCP becomes initial state.

In host B one side, when receiving this connection request (SYN), finish the parsing of the reception packet of this connection request, and send connection response (SYNACK) to host A.Here, ACK is the abbreviation of Acknowledgement, sends when data transmit normal termination etc.When host A receives this connection response (SYNACK), send expression and connect the ACK (positive response) that is over, and the catenation sequence of ending standard TCP.

When the catenation sequence of this standard TCP finishes, the data communication sequence of standard TCP is effective, after either party of host A or host B sends data, return ACK (positive response) from a side who receives data, so repeat the transmitting-receiving that this fundamental mode is carried out data.

In the data communication sequence of this standard TCP, in host A and the host B either party can propose the cut-out request to the other side.

Fig. 7 (a) illustrates the situation that sends the request of cut-out from the host A of active open sides to the host B of passive open sides.When the application of host A had the request of cut-out, host A sent the request cut off (FIN).When host B receives this cut-out request (FIN), shown in the step S23 of Fig. 8, send and cut off response (FINACK) as described later.When host A receives this cut-out response (FINACK), send ACK (positive response), and the shutoff sequence of ending standard TCP.

Secondly, the communication sequence of TCPsec of the present invention is described according to Fig. 7 (b).In Fig. 7 (b), that establishes host B is applied as the passive opening of TCPsec, host A to be applied as TCPsec initiatively open.

When set host B to be applied as TCPsec passive when open, just begin the passive open treated of TCPsec (with reference to step S6 and Fig. 9 of Fig. 5), wait for reception as described later shown in the step S31 of Fig. 9 like that.When setting being applied as TCPsec and initiatively open of host A,, shown in the step S69 of Figure 11, send connection request (SYN) to host B from host A just begin TCPsec active open treated (with reference to step S13 and Figure 11 of Fig. 6).Thus, the catenation sequence of TCPsec is in initial state.Have again, in connection request (SYN), encrypt and the intrinsic information of additional TCP2, and to notify the other side be correct communication object by option.That is, can before the TCPsec negotiation data of exchange back, confirm that between host A and host B whether distant terminal supports the terminal of TCP2, in other words, can confirm to be correct communication counterpart.

In host B one side, when receiving, if correct the other side then sends connection response (SYNACK) to host A from connection request (SYN) that host A sends.Then, when host A receives connection response (SYNACK) from host B, send ACK (positive response).Next, exchange TCPsec negotiation data if object is correct, then finishes the catenation sequence of TCPsec between host A and host B.

When this catenation sequence finished, the data communication sequence of TCPsec became effectively, and a certain side in host A and host B sends after the data, receives that a side of data returns ACK (positive response), repeats this fundamental mode, carries out the transmitting-receiving of data.

Have, in the data communication sequence of TCPsec, either party of host A and host B can propose the cut-out request to the other side again.In Fig. 7 (b), begin to cut off from the host A of active open sides.When the application of host A had the request of cut-out, host A sent the request cut off (FIN).Have in this cut-out request (FIN) that to encrypt and add the intrinsic information of TCP2 and notify the other side by option be the program of correct communication object here.When host B receives this cut-out request (FIN), if correct the other side then as described later shown in the step S42 of Fig. 9, sends and cuts off response (FINACK).When host A receives this cut-out response (FINACK), send ACK (positive response), finish the shutoff sequence of TCPsec.

More than, according to Fig. 7, illustrated from the sequence that is connected to cut-out of communicating by letter with regard to the TCPsec of standard TCP and one of TCP2 of the present invention, below, according to flow chart the passive open treated of TCP and TCPsec and open treated initiatively are described in order.

Details when at first, in the step S5 of the flow chart of Fig. 5, beginning the passive open treated of TCP according to the flowchart text of Fig. 8.

When the agreement of the step S5 of decision Fig. 5 processing is TCP, just begin the passive open treated of TCP of this Fig. 8.At first, wait for to receive, carry out the parsing (step S15) of the packet that received again.Then, judging whether the packet of this reception is correct, promptly is the Transmission Control Protocol attack mode (step S16) in the DoS attack.Then, when the judged result of step S16 is illegal packet, then abolishes the packet (step S17) of this reception and wait for the reception of next packet.

In determining step S16, when the packet that judge to receive is correct tcp data bag, then judges whether to continue to be in the connection, be whether the host A of Fig. 7 and the catenation sequence of host B finish (step S18).In determining step S18, when judgement be connect in the time, judge whether next packet cuts off request (FIN of Fig. 7 (a)) (step S19).If not cut off request, then then judge whether to cut off response (FIN/ACK of Fig. 7 (a)) (step S20).When neither cut-out is asked, not again to cut off when responding, carry out the transmitting-receiving of tcp data and handle (step S21), when the packet of reception was the cut-out response, the host A transmission ACK from Fig. 7 cut off TCP connection (step S25).When in determining step S19, judging when being cut-out request from host A, from host B it is sent and cut off response (step S23).

When in step S23, having sent the cut-out response, wait for last ACK (step S24).Then, after receiving last ACK, make TCP be in dissengaged positions (step S25), finish the passive opening of TCP (step S26).

In determining step S18, when receiving port is not in the connection, judge whether the packet that receives is passive open permission port (step S27).Then, when the packet that receives is not allowed to, just abolishes the packet (step S28) that receives and wait for next packet.In addition, in determining step S27, allow passively when open when the packet that receives becomes, secondly judgment data bag is connection request (step S29), if not connection request is then abolished packet (step S28) and waited for next packet.When judgement is connection request in determining step S29, just sends connection response, and make TCP be in connection status (step S30).

Secondly, according to the flowchart text of Fig. 9 details at the passive open treated step of the TCPsec of Fig. 5 S6.This is handled shown in the step S6 of Fig. 5, be decision receive packet be treated to the processing of TCPsec the time processing.At first, wait for reception, the parsing of the packet that receives again (step S31).Then, judging whether the packet of this reception is correct, promptly is the Transmission Control Protocol attack mode (step S32) in the DoS attack.When the judged result of step S32 is illegal packet, then abolish the packet (step S33) of this reception, return step S31, wait for the reception of next packet.

In determining step S32, when the packet that judge to receive is correct packet, then judges and whether finish being connected of host A and host B (whether in connection) (step S34).In determining step S34 when judge host A and host B be in be connected in the time, judge whether the next packet that receives cuts off request (FIN) (step S35).If not cut off request, judge then whether the current packet that receives is to cut off response (FINACK) (step S36).Neither cut off request, is not again when cutting off response when the packet that receives, and carries out the transmitting-receiving of TCPsec data shown in Figure 12 described later and handles (step S37), and enter step S49.Secondly, when the response of cut-out is arranged in determining step S36, judge and cut off key whether consistent (step S38).Here, cut off key and be the Public key (privacy key) of in the catenation sequence of Fig. 7, holding consultation between the host A and host B, have only the communication that when this key agreement, could cut off between the two.When in determining step S38, judging the cut-out key agreement, send ACK (step S39), cut off the TCPsec (step S44) between host A and the host B.When judging that in determining step S38 the cut-out key is inconsistent, it is abolished (step S41) as illegal packet, and waited for the next packet that receives.In addition, when the packet that judge to receive in determining step S35 is when cutting off request (FIN), same judge cut off key whether consistent (step S40).When the cut-out key is inconsistent, it is abolished (step S41) as illegal packet, when cutting off key agreement, cut off the transmission (step S42) of response (FINACK).When in step S42, having sent the cut-out response, wait for the last ACK (step S43) of the other side, when receiving this last ACK, make TCPsec be in dissengaged positions (step S44), finish the passive opening of TCPsec (step S45).

In determining step S34, when judge host A and host B be not in be connected in the time, judge whether the packet that receives is passive open permission port (step S46).Then, when the packet that receives is not passive open permission port, just abolishes the packet (step S47) that receives and turn back to step S31, wait for next packet.In addition, in determining step S46,, carry out the passive connection processing of TCPsec shown in Figure 13 described later (step S48) when the packet that receives becomes passive openly when allowing port.

Then, judge according to Public key and verify data whether normally, promptly whether communication counterpart be the other side (step S49) with proper authority.If being judged as is normal the other side, then return step S31, the next packet that receives of wait, if judge that communication counterpart is not normal object, the then connection of force disconnect TCPsec (step S50), and the passive open treated (step S51) of end TCPsec.

Secondly, according to the open treated initiatively of the TCP shown in the step S12 of flowchart text Fig. 6 of Figure 10.

Figure 10 is the figure of the processing of the processing protocol among expression decision Fig. 6 when being TCP, at first, sends connection request (SYN) (step S52) from the transmitter side host A to the receiver side host B.When the receiver side host B sends connection response (SYNACK) for this connection request, then wait for receiving, and carry out the parsing (step S53) of the packet that received.Secondly, judging whether the packet of this reception is correct, promptly is the Transmission Control Protocol attack mode (step S54) in the DoS attack.When the judged result of this step S54 is illegal packet, then abolish the packet (step S55) of this reception and return step S53, wait for the reception of next packet.

In determining step S54, when the packet that judge to receive is correct packet, then judge transmitter side (master end) host A and receiver side (passive side) host B whether be in be connected in (step S56).When in this determining step S56, judge be connect in the time, secondly, judge that receiving packet is the cut-out request (step S57) of transmitter side host A to the receiver side host B.If not cut off request, then judge to be receiver side host B cut-out response (FINACK) (step S58) to the transmitter side host A.When neither cut off request, not again when cutting off response, carry out the transmitting-receiving of tcp data and handle (step S59), and wait for the next packet that receives.When judging in determining step S58 is, to send the ACK (step S60) that cuts off certainly from host A, and cut off TCP (step S63) during to the cut-out response of host A from host B.

In determining step S57, when the packet that receives is when cutting off request, from host B host A is sent and cut off response (step S61), host B is waited for from host A and is received last ACK (step S62).Then, after host B receives last ACK from host A, make TCP be in dissengaged positions (step S63), finish TCP and initiatively open (step S64).

In determining step S56, when transmitter side host A and receiver side host B be not in be connected in the time, whether the packet that judge to receive is initiatively open permission port (step S65).Then, when the packet that receives is not allowed to, just abolishes the packet (step S66) that receives and wait for next packet.In addition, in determining step S65, when the packet that receives becomes when allowing initiatively to open, next judges whether from the connection response of receiver side host B (step S67), if there is not connection response, then abolishes packet (step S66) and wait for next packet.When the receiver side host B has been carried out connection response, as the connection status (step S68) of TCP, return step S53, wait for the next packet that receives.

Secondly, according to the TCPsec of the step S13 of flowchart text Fig. 6 of Figure 11 detailed process situation during open beginning initiatively.

Processing shown in the flow process of Figure 11 is that the processing protocol of step S13 of decision Fig. 6 begins the processing carried out during for TCPsec.At first, send connection request (SYN) (step S69) from the transmitter side host A to the receiver side host B.As from the connection response (SYNACK) of receiver side host B the time, just begin the reception of packet, and the parsing of the packet that receives (step S70).

Secondly, judge the analysis result of this reception packet, the packet that is received is correct tcp data bag, that is, be the Transmission Control Protocol attack mode (step S71) in the DoS attack.When result of determination is illegal packet, then abolish this packet (step S72) and return step S70, wait for next packet.

In determining step S71, when the packet that judge to receive is correct tcp data bag, judge then whether the transmitter side host A is connected finish (whether connecting) (step S73) with the receiver side host B.When if host A is being connected with host B, judge then whether receive packet cuts off request (FIN) (step S74).When the packet that receives was not the cut-out request, then judging had the cut-out response (step S75) that does not have from the receiver side host B.When both not cutting off request, when not cutting off response again, carry out the transmitting-receiving of TCPsec data shown in Figure 12 and handle (step S76), enter step S89 then.

Cut off key whether consistent (step S77) when in determining step S75, judging when the response of cut-out is arranged, judging.This cuts off key as illustrated in fig. 9.When in determining step S77, cutting off key agreement, send ACK (step S78) from the transmitter side host A to the receiver side host B, cut off the TCPsec (step S83) between host A and the host B.When the cut-out key is inconsistent in determining step S77, abolished (step S80) as illegal packet, wait for the next packet that receives.In addition, in determining step S74, be when cutting off request (FIN) when judge receiving packet, also judge and cut off key whether consistent (step S79).Then, when the cut-out key is inconsistent, abolished (step S80), when cutting off key agreement, cut off the transmission (step S81) of response (FINACK) as illegal packet.When in step S81, having sent the cut-out response, wait for the last ACK (step S82) that comes from the other side, when receiving last ACK, make TCPsec be in dissengaged positions (step S83), finish TCPsec and initiatively open (step S84).

In determining step S73, do not finish when transmitter side host A and being connected of receiver side host B, when promptly not being in the connection, judge whether the packet that receives is initiatively open permission port (step S85).Then, when the packet that receives is not allowed to, just abolishes the packet (step S87) that receives and return step S70, wait for next packet.In addition, in determining step S85, when the packet that receives becomes when allowing initiatively to open, judge that the packet that receives is the packet (step S86) from the connection response (SYNACK) of receiver side host B, when not being the packet of connection response, abolish packet (step S87), wait for next packet again, when judgement is the packet of connection response in determining step S86, carry out the TCPsec active connection processing (step S88) that Figure 14 has illustrated its details.

When in step S88, having carried out the active connection processing of TCPsec, judge that then the receiver side host B is normal object, promptly whether allows the object (step S89) that connects.If judge is when allowing the object of connection, then returning step S70, wait for the reception of next packet, is not the object that allows connection if judge in step S89, the then transmitting-receiving of force disconnect TCPsec (step S90), and the active open treated (step S91) of end TCPsec.

The details of the transmitting-receiving processing of the TCPsec data when secondly, the step S76 of the step S37 that selected above-mentioned Fig. 9 and Figure 11 be described.

At first, when the transmitting-receiving of beginning TCPsec data in the step S76 of the step S37 of Fig. 9 and Figure 11 is handled, judge whether transmission request (step S92) earlier from the upper application of host A.Then, as from the transmission request of the upper application of host A the time, the transmitter side host A is encrypted and is sent data (step S93), and to its additional authentication data (step S94), has encrypted and added the packet (step S95) of verify data to the transmission of receiver side host B.

Secondly, the receiver side host B has judged whether reception data (step S96), when receiving data, receives the deciphering (step S97) of data.Then, judge whether the data behind the receiving and deciphering are correct data (step S98).This judgement is undertaken by confirming data after the deciphering and the verify data that receives, but when the result who judges the data decryption affirmation is not correct data, force disconnect TCP/TCPsec (step S99).This force disconnect is undertaken by cutting off to the transmitter side request when abolish receiving data.In determining step S98, when the data after judging deciphering are correct data, receive being taken into of data, promptly upwards the bit protocol stack transmits data (step S100), and the data transmit-receive that finishes TCPsec is handled (step S101).

Details when secondly, beginning the passive connection processing of TCPsec of step S48 of Fig. 9 according to the flowchart text of Figure 13.

At first, judge that whether the other side be correct the other side, promptly whether have a computer (step S102) that is connected authority with this computer, when not being correct the other side, implementing the force disconnect of TCPsec and handle (step S103).When in determining step S102, judging that connecting object is correct, send connection response (step S104) from the receiver side host B.

Then, confirm to send the other side's the information of connection response whether in this computer (step S105).When the other side's information is not in computer, from native system, the build-in services device that uses when promptly TCP2 being installed, obtain the other side's information (step S106).Perhaps, from the server that the 3rd authenticates, obtain the other side's information, enter step S107 again.As this information that obtains, can in the information such as ID, user ID, password, biometric information, equipment intrinsic information and LAN connection device of the other side's TCP2, select one or more to use.Have again,, when surpassing the term of validity or effective access times, still be necessary to obtain again action even this computer has had the information that obtains from server.

Secondly, judge whether whether correctly, promptly the other side's information allow to visit the other side (step S107) of this computer.Here,, then finish be dynamically connected (the step S108) of TCPsec, when object is incorrect, carry out the force disconnect of TCPsec, end to connect (step S103) if connecting object is correct.

Secondly, begin the TCPsec details during connection processing initiatively of the step S88 of Figure 11 according to the flowchart text of Figure 14.

The same with the situation of the passive connection processing of Figure 13, whether at first, judge the whether correct the other side of the other side that connection request is arranged, promptly from the other side's of the authority with this computer of visit communication (step S109).If not from the other side's who possesses proper access rights communication, then the active of force disconnect TCPsec connects end process (step S110).

Send sure connection response (ACK) (step S111) from the transmitter side host A to the receiver side host B when in determining step S109, judging when being correct object.

Secondly, judge whether this computer has the other side's information (step S112).When the other side's information is not in computer, from native system, the build-in services device that uses when promptly TCP2 being installed, obtain the other side's information (step S113).Perhaps, from the server that the 3rd authenticates, obtain the other side's information, enter into step S114 again.Here, the same with the step S106 of Figure 13, as this information that obtains, can in the information such as ID, user ID, password, biometric information, equipment intrinsic information and LAN connection device of the TCP2 of the other side's side, select one or more to use.Have again,, when surpassing the term of validity or effective access times, still be necessary to obtain again action even this computer has had the information that obtains from server.

Secondly, judge that whether the other side's information be correct object, promptly whether allow to visit the other side (step S114) of the computer of oneself.If connecting object is correct object, the active that then finishes TCPsec connects (step S115), when object is incorrect, carries out the force disconnect of TCPsec, ends to connect (step S110).

More than in TCP2 of the present invention, just used the passive opening of TCP/TCPsec and initiatively open communication process to be illustrated.

Secondly, illustrate the 2nd example of the present invention picture use as shown in Figure 3 communication system and the communication means of UDP/UDPsec.

Figure 15 is the flow chart that is used for illustrating the passive open treated of the UDP/UDPsec that uses in the present invention's the 2nd example.

This processing is from upper application program (step S120).At first, confirm open portal number parsing, be the definition status (step S121) of portal number.Secondly, judge whether this portal number is UDPsec open (step S122).When UDPsec is not open, judge whether UDP opens (step S123).Then, when UDPsec, UDP do not allow to open, finish UDP/UDPsec (step S126).When in determining step S123, judge UDP allow open, promptly though UDPsec does not allow open but when allowing UDP to open, implement UDP open treated (step S124) shown in Figure 180, when in determining step S122, judging that UDPsec is open, no matter whether UDP opens, all implement the open treated (step S125) of UDPsec, finish UDP/UDPsec open treated (step S126) again.Have again,,, also can use UDPsec or UDP to communicate according to the judgement of TCP2 even on UDP, open from as upper should being used for.

Secondly, according to Figure 16 explanation as the use of one of the 2nd example of the present invention series of processes in the clean culture of UDP/UDPsec (unicast) communication.

Figure 16 is the beginning sequence of clean culture (unicast) communication among the UDPsec of description standard UDP and TCP2 of the present invention, the packet (being made of title and payload) of data communication sequence and the figure that flows to thereof.

Figure 16 (a) illustrates the communication sequence that has used standard UDP, and Figure 16 (b) illustrates the sequence of the coded communication of UDPsec.

It is that host A or its application of host B all are the open examples of UDP that the standard UDP of Figure 16 (a) illustrates.If it is open that the application of host B is UDP, then begin the open treated (with reference to step S124 and Figure 18 of Figure 15) of UDP.Equally, when the application of host A is the UDP opening, also begin the open treated of above-mentioned UDP.Therefore, can carry out the data communication of UDP.Here, in the communication of the clean culture (unicast) shown in Figure 16 (a), host A and host B can send data.

Secondly, the sequence of communication process of UDPsec of one of the cipher mode of TCP2 of the present invention is described.

Figure 16 (b) is the example that the UDPsec that utilizes TCP2 of the present invention to have carries out coded communication, and in this example, the application of judging host A and host B all is that UDP is open, and TCP2 is by the open situation of UDPsec.

When host B is the UDPsec opening, the open treated (with reference to step S125 and Figure 19 of Figure 15) of beginning UDPsec.Equally, when host A is the UDPasec opening, begin the open treated of UDPsec too.Thereby, can realize the data communication of UDPsec.

Clean culture (unicast) communication of having used the UDPsec shown in this Figure 16 (b) is the same during also with UDP, and host A and host B can send data.For the situation of Figure 16 (b), the situation that should be used for asking to send UDP message from host A is described at first.When receiving the transmission request of UDP message from application, host B begins UDPsec clean culture reception and begins to handle, and begins to hold consultation.If find when conferring that the other side is correct the other side, then finish to consult, the transmission request of the UDP message of self-application in the future sends as UDPsec data (enciphered data).In this UDPsec clean culture (unicast) communication, return ACK (positive response) from a side of receiving data.Therefore, though transmit to confirm and the function of data assurance that the speed of data communication correspondingly improves, be suitable for the communication of large capacity image data etc.

Figure 17 is description standard UDP and has used beginning sequence, the packet (being made of title and payload) of data communication sequence and the figure that flows to thereof as the broadcast communication of the UDPsec of the cipher mode of TCP2 of the present invention.

Figure 17 (a) illustrates the communication sequence of standard UDP, and Figure 17 (b) illustrates the sequence of the UDPsec communication of TCP2 of the present invention.

The standard UDP of Figure 17 (a) is that host A or its application of host B all are that UDP is open.And, if being UDP, the application of host B opens, then begin the open treated (with reference to step S124 and Figure 18 of Figure 15) of UDP.Equally, when the application of host A is the UDP opening, begin above-mentioned UDP open treated too.Therefore, become the state that can carry out the data communication of UDP.

In addition, though host A and host B can produce data,, Figure 17 (a) be make in order also to carry out broadcast communication data from host A to the host B folk prescription to the figure that flows.Because of not returning ACK (positive response), so do not possess the function of affirmation of transmitting and data assurance from the host B that receives data.Having, when broadcast data, can be 1 to come broadcast data by the subnet address that makes the IP address entirely again.

Secondly, the coded communication of the UDPsec of Figure 17 (b) is described.At this moment, the application of host A, host B also all is that UDP is open, and TCP2 is open by UDPsec.

When host B is the UDPsec opening, beginning UDPsec open treated (the step S125 of Figure 15 and Figure 19).In addition, when host A is the UDPsec opening, begin the UDPsec open treated too.Thus, can carry out the data communication of UDPsec.

Shown in Figure 17 (b), the transmission request situation of existence from the broadcast data (expression IP address is the data of broadcasting) of the UDP of the application of host A described.When the transmission request of the broadcast data of the UDP that receives self-application, need not consult, conveniently send as enciphered data to not specific main frame with UDPsec.When host B was received broadcast data, the UDPsec broadcast reception that begins the step S141 of Figure 19 described later began to handle.Between host A and host B, begin to hold consultation,, then finish to consult, and broadcast data is decrypted, send to application then if the other side is correct the other side.At this moment, because of not returning ACK (positive response), so transmit the function that affirmation and data guarantee from receiving data one side.

Secondly, the open treated of standard UDP of the step S124 of Figure 15 is described according to Figure 18.

Figure 18 is the flow chart of the open treated of UDP, and this processing is in the step S124 of Figure 15, the processing that begins when handled agreement determines to UDP.

At first, wait for the transmission request of self-application or receive packet, when receiving the request of transmission or packet, carry out the parsing (step S127) of packet.Here, not only to receiving packet, be in order to prevent that the cankered third party from sending as the injuring party and with it host A as springboard to sending that request also resolves, communicate with not specific majority.Whether after the parsing of carrying out this transceive data bag, judgement is correct packet, promptly be the udp protocol attack mode (step S128) in the DoS attack.In this determining step S128, when judgement is illegal packet, abolishes this packet (step S129) and wait for next packet.

Carry out the transmitting-receiving of UDP message and handle (step S130) when being correct packet when in determining step S128, judging, then, judge whether turn-off request (step S131) from the UDP of upper application.As from the turn-off request of the UDP of upper application the time, finish UDP open treated (step S132).

Secondly, the open treated of UDPsec of the step S125 of Figure 15 is described according to Figure 19.Figure 19 is the flow chart of the open treated of UDPsec, shown in the step S125 of Figure 15, when handled agreement decision is UDPsec, begins this processing.

At first, wait for the transmission request of self-application or receive packet, send the parsing (step S133) of request and reception packet.Secondly whether, judge whether transmission request or the transceive data bag from upper application is correct UDP message bag, promptly be the Transmission Control Protocol attack mode (step S134) in the DoS attack.In this determining step S134, when determining the UDP message bag that is not correct, abolish this packet (step S135) and wait for next packet.

When in determining step S134, judging then, judge whether it is to have carried out the reception packet (step S136) that UDPsec consults when being correct UDP message bag.

Then, when judgement is UDPsec negotiation data bag, carries out UDPsec clean culture (unicast) shown in Figure 23 reception described later and begin to handle (step S137), and enter into step S147.

In addition, when judgement is not UDPsec negotiation data bag in determining step S136, then, judge to be broadcast communication (step S138).And, when judgement is broadcast communication, judge the beginning packet of whether communicating by letter, i.e. the 1st communication data packet (step S139) after the opening, when not being the beginning packet, the UDPsec data transmit-receive that utilizes Figure 22 to illustrate is handled (step S144).When judgement is the beginning packet of communication in determining step S139, then judge whether send packet (step S140).Next, if judged result is to send packet, then carries out above-mentioned UDPsec data transmit-receive and handle (step S144), still, is not when sending packet when judging, the UDPsec broadcast reception of just implementing Figure 20 described later begins to handle (step S141).After this reception begins to handle, judge that whether the packet that sends is from correct the other side (step S142).Then, when judging that in determining step S142 the packet that is sent is not a packet from correct the other side, abolish packet (step S143), and wait for next packet.Carry out UDPsec data transmit-receive shown in Figure 22 and handle (step S144) when being correct the other side when in determining step S142, judging.

In addition, be not broadcast communication when in determining step S138, judging, when promptly being clean culture (unicast) communication, judge the beginning packet of whether communicating by letter, i.e. the 1st communication data packet (step S145) after the opening, when judged result was not the beginning packet, the UDPsec data transmit-receive that carries out being described in detail in Figure 22 was handled (step S144).

In addition, when the 1st communication data packet judging in determining step S145 after being open, the UDPsec clean culture (unicast) of carrying out Figure 21 described later sends and begins to handle (step S146).Then, judge whether communication counterpart is correct the other side (step S147).When being correct the other side, proceed the UDPsec data transmit-receive and handle (step S144), when not being correct the other side, abolishing the packet (step S148) that receives, and return step S133, wait for next packet.

Secondly, the processing that begins according to the UDPsec broadcast reception of the step S141 of flowchart text Figure 19 shown in Figure 20.

At first, judge whether this computer has the other side's of the broadcasting of having provided and delivered information (step S149).Then, when this information not, the build-in services device that uses when native system is installed is obtained the other side's information (step S150).Perhaps, the server that authenticates from the third party is obtained information.This information that obtains selects one or more to use in ID, user ID, password, biometric information, equipment intrinsic information and the LAN connection device information etc. of the other side's TCP2.Secondly, judge that the other side who broadcasts that provided and delivered is correct the other side (step S151).Then, when judgement is correct the other side, can carry out the reception of UDPsec, the communication that finishes UDPsec broadcasting begins to handle (step S153), and can receive to the step S142 of Figure 19 indication.When in determining step S151, determining the other side who is not correct, just refusal communication (step S152), same, send the message that does not obtain data to the step S142 of Figure 19.Have again, if when in step S149 relevant for the other side's the information that obtains but surpassed the term of validity or effectively during access times, can in step S150, carry out the action that obtains of the other side's information again.

Secondly, send the processing of beginning according to the UDPsec clean culture of the step S146 of flowchart text Figure 19 shown in Figure 21.

At first, confirm whether this computer has the information (step S154) that sends the other side.When this information not, by obtaining the other side's information (step S155) with the same method of the step S150 of Figure 20.This information that obtains the also situation with Figure 20 is identical.

Secondly, judge that the other side who sends is correct the other side (step S156).Then, when judgement is correct the other side, can carry out the transmission of UDPsec, the communication that finishes the UDPsec clean culture begins to handle (step S158), and can send to the step S147 of Figure 19 indication.When in determining step S156, judging when not being correct the other side, just refusal communication (step S157), same, send the message that does not obtain data to the step S142 of Figure 19.

Secondly, the transmitting-receiving that the UDPsec data shown in the step S144 of Figure 19 are described according to Figure 22 is handled.

At first, judge whether transmission request (step S159) from the application of host A.If the request of sending is arranged, enciphered data (step S160) in the transmitter side host A then, and to this enciphered data additional authentication data (step S161) sends the packet (step S162) that has added verify data after encrypting again to the receiver side host B.

Secondly, in the receiver side host B, reception data (step S163) have been judged whether.When receiving data, receive the deciphering (step S164) of data.Secondly, judge that the data after this reception and the deciphering are correct data (step S165).This judgement is undertaken by the verify data of confirming data decryption and reception, still, as the result who has confirmed data decryption, when determining the data that are not correct, force disconnect UDP/UDPsec (step S166).When to determine data decryption in determining step S165 be correct data, be taken into the reception data, the data of the bit protocol stack that promptly makes progress transmit (step S167), and the data transmit-receive that finishes UDPsec is handled (step S168).

Secondly, handle according to beginning of receiving of the UDPsec clean culture (unicast) shown in the step S137 of process description Figure 19 of Figure 23.

At first, judge whether this computer has the other side's information (step S169) of the packet that is received by clean culture (unicast).When not having the other side's information, the server that the build-in services device that uses during from the installation native system or the third party authenticate is obtained the other side's information (step S170).The step S150 of this information that obtains and Figure 20 or the step S155 of Figure 21 are identical, and one or more in the ID of the other side's TCP2, user ID, password, biometric information, equipment intrinsic information and the LAN connection device information etc. are suitable therewith.

Secondly, judge that the other side who sends unicast communication is correct the other side (step S171).When judgement was correct the other side, the message that can carry out the reception of UDPsec conveyed to the step S147 of Figure 19, and finished the UDPsec broadcast communication and begin to handle (step S173).Pass on the message that do not obtain data to the step S147 of Figure 19 when in determining step S171, judging when not being correct the other side, and refusal communication (step S172).

More than, describe in detail according to flow chart and sequence chart the present invention's the 1st example use the encryption of TCPsec and the present invention's the 2nd example use the encryption of UDPsec.

Secondly, illustrate that according to table 2 and Figure 24 TCP2 of the present invention compares with existing IPsec or SSL and has what kind of advantage.

Table 2 is the functions that increased TCP2 on the basis of the function comparison sheet of the IPsec of table 1 and SSL.

By this table 2 as can be known, by adopting TCP2, the existing all variety of issues of IPsec and SSL (this is existing explanation in background technology) have been solved.

The function ratio of table 2:Ipsec, SSL and TCP2

For example, for SSL be difficult between corresponding client-client communication, to the secure communication of the attack of ICP/IP protocol, all udp port or tcp port, to the restriction of the application that must change the socket program etc., TCP2 fully can be corresponding.

In addition, be difficult to the communication under the adverse circumstances corresponding, that make a mistake easily, the communication between the different LAN, the communication under the connection, PPP mobile environment, adsl loop border via a plurality of carriers for IPsec, TCP2 supports fully.

And then, for having used VoIP (voiceOverInternet Protocol: the internet offscreen voice Internet Protocol) under mobile environment or under the adsl loop border, as shown in Table 1 and Table 2, IPsec and SSL have problems, but, if according to TCP2 of the present invention, then whatsoever environment can adapt to.

In addition, between different LAN or stride across the Internet telephony of having used VoIP between a plurality of carrier LAN, IPsec and SSL can not adapt to, but if according to TCP2 of the present invention, then fully can be corresponding.

Figure 24 is the figure that is used for illustrating the superiority of TCP2, shows at the protocol stack (a) that does not have protection and goes up the result that the situation (b) of having used existing SSL, the situation (c) of having used IPsec, the situation of having used TCP2 of the present invention (TCPsec/UDPsec) are compared.The SSL of Figure 24 (b) as mentioned above, because of being arranged on the socket of dialogue layer (the 5th layer), so upper application is not had interchangeability.Therefore, there is problem as described above in SSL itself.In addition, the IPsec of Figure 24 (c) is positioned at network layer (3), does not have the interchangeability on the IP layer, so, on the formation of network, be subjected to various restrictions as described above.Relative therewith, the TCP2 (TCPsec/UDPsec) of Figure 24 (d) is the encryption technology that imports to transport layer (the 4th layer), therefore, from being used for, socket can directly be utilized, from network, can directly utilize IP, so, on the formation of network without limits.

As mentioned above, the cryptographic communication system that has used TCP2 of the present invention and encryption communication method are compared with existing encryption system, especially data are revealed, distort, pretend, enter and attacked to have very strong defencive function.

Have again, the invention is not restricted to above-mentioned example, in the scope of the aim that does not break away from claims record, certainly comprise more example.

Claims

1. one kind is appended the communication system that communicates again after the encryption function to TCP or the udp protocol that is positioned at transport layer, it is characterized in that, comprising:

The catenation sequence device is used for judging communication counterpart is connected with communication counterpart after whether having the communication counterpart of proper authority;

The agreement device is to arranging in the encrypting and decrypting logic of the two ends of communication line correspondence;

The agreement encryption device, the encryption logic of arranging according to described agreement device sends after encrypting as the payload of described at least TCP in the packet of the unit of receiving and sending messages or udp protocol again; With

The agreement decryption device is decrypted according to the payload of the decryption logic of the described agreement device agreement agreement after to this encryption that receives,

Described agreement device is only judged with described catenation sequence device has the communication counterpart that connects after the proper authority, uses the described TCP of described transport layer or udp protocol to carry out communication based on described encrypting and decrypting logic.

2. communication system, be connected with network respectively with the 3rd communicator with the 2nd communicator and constitute by the 1st, wherein, the the described the 1st and the 2nd communicator has: the agreement device, append the employed encrypting and decrypting logic of communication system that encryption function communicates again to the TCP that is arranged in transport layer or udp protocol and arrange; With the catenation sequence device, be used for judging communication counterpart is connected with this communication counterpart after whether having the communication counterpart of proper authority, and described the 3rd communicator does not have the agreement device of arranging described encrypting and decrypting logic, it is characterized in that:

The the described the 1st and the 2nd communicator comprises: the agreement encryption device is sent after encrypting as the payload of described at least TCP in the packet of the unit of receiving and sending messages or udp protocol by the encryption logic according to described agreement device agreement again; And cryptographic protocol processing unit and common protocol processes device, wherein said cryptographic protocol processing unit is made of the agreement decryption device that the payload according to the decryption logic of the described agreement device agreement agreement after to the described encryption that receives is decrypted, and described common protocol processes device is not followed described encrypting and decrypting logic

Described the 3rd communicator only has common protocol processes device, and this common protocol processes device is not used for arranging the agreement device of the encrypting and decrypting logic of described TCP or udp protocol,

Described the 1st communicator according to the judgement information of described catenation sequence device, utilizes described encrypting and decrypting logic agreement device to select described agreement encryption device, and utilizes described agreement encryption device to communicate with described the 2nd communication the time,

Simultaneously, described the 1st communicator is with described the 3rd communication the time, judgement information according to described catenation sequence device, utilize described encrypting and decrypting logic agreement device, can select or use and do not follow the described common protocol processes device of described encrypting and decrypting to communicate, perhaps not communicate with described the 3rd communicator.

Claim 1 or 2 the record communication systems, it is characterized in that: and then comprise the logic alternative device, will be by the encrypting and decrypting logical storage that can be used as the agreement candidate target of described encrypting and decrypting logic agreement device agreement at memory and even be installed in the circuit, and regularly change the encrypting and decrypting logic of the conduct agreement candidate target of this storage and even installation.

4. the communication systems of claim 1 or 2 records, it is characterized in that: described encrypting and decrypting logic agreement device is associated with described encrypting and decrypting logic, does not encrypt and arranges to handle plain code.

5. one kind is appended the communication system that communicates again after the authentication function to TCP or the udp protocol that is positioned at transport layer, it is characterized in that, comprising:

The catenation sequence device is used for judging that whether communication counterpart is to be connected with communication counterpart after having the communication counterpart of proper authority;

Completeness authentication agreement device is to arranging at the completeness authentication logic of the two ends of communication line correspondence;

Agreement completeness authentication information attachment device, the completeness authentication logic of arranging the device agreement according to described completeness authentication is to sending again at least with behind the additional completeness authentication information of the payload of described TCP or the corresponding agreement of UDP in the conduct packet of the unit of receiving and sending messages; With

Agreement completeness authenticate device, the completeness authentication logic of arranging according to described completeness authentication agreement device carries out the completeness authentication to this agreement of having added the completeness authentication information that receives,

Only be judged as communication counterpart by described catenation sequence device with proper authority, use is positioned at the TCP of described transport layer or udp protocol and carries out communication based on described completeness authentication logic.

6. communication system, be connected with network respectively with the 3rd communicator with the 2nd communicator and constitute by the 1st, wherein the 1st comprises with the 2nd communicator: use the TCP that is positioned at transport layer or UDP to judge whether communication counterpart has the catenation sequence device that is connected with this communication counterpart after the communication counterpart of proper authority and use described TCP and device is arranged in completeness authentication that UDP carries out completeness authentication agreement, described the 3rd communicator does not have described completeness authentication agreement device, it is characterized in that:

The the described the 1st and the 2nd communicator has: completeness authentication protocol processing unit and the processing of handling TCP or UDP behind the additional described completeness authentication information again do not add the common TCP of described completeness authentication information or the common protocol processes device of UDP,

Described the 3rd communicator only has the common protocol processes device of not following described completeness authentication,

Described the 1st communicator is with described the 2nd communication the time, confirm that in described catenation sequence device communication counterpart as described the 2nd communicator is after proper the other side, carry out and being connected of the 2nd communicator, utilize the completeness authentication protocol device that has added described completeness authentication information to communicate again, simultaneously

Described the 1st communicator is with described the 3rd communication the time, judgement information according to described catenation sequence device, the not additional described completeness authentication information of decision, can select to use described common protocol processes device to carry out and the communicating by letter of the 3rd communicator, perhaps utilize described completeness authentication agreement device to confirm that the communication counterpart as described the 3rd communicator is not to have the connection that does not communicate behind the communication counterpart of proper authority.

Claim 5 or 6 the record communication systems, it is characterized in that: and then comprise completeness authentication logic change device, to be stored in memory by the completeness authentication logic of the conduct agreement candidate target of completeness authentication agreement device agreement and even be installed in the circuit, and regularly change the completeness authentication logic of this storage and even installation.

8. the communication systems of claim 5 or 6 records is characterized in that: the described agreement of described completeness authentication agreement device is an agreement to sending the additional described completeness authentication information of data or the agreement of additional described completeness authentication information not.

9. one kind by to appending the communication means that encryption function communicates with the TCP or the corresponding agreement of UDP of transport layer, it is characterized in that, comprising:

Connection Step is using described TCP or udp protocol to judge that whether communication counterpart is to be connected with communication counterpart after having the communication counterpart of proper authority;

The agreement step is in advance or dynamically to arranging in the encrypting and decrypting logic of the two ends of communication line correspondence;

The agreement encrypting step, according to the encryption logic of described agreement step agreement to sending again as after the encrypting with the corresponding agreement of the payload of described TCP or UDP at least in the packet of the unit of receiving and sending messages; With

The agreement decryption step is decrypted according to the decryption logic of the described agreement step agreement agreement after to the encryption that receives,

When in described Connection Step, judging communication counterpart and have,, communicate again carrying out encryption with the TCP or the corresponding agreement of UDP of transport layer just when authority.

10. communication means, be connected with network respectively with the 3rd communicator with the 2nd communicator and form by the 1st, wherein the 1st and the 2nd communicator comprises: the agreement device, arrange appending in the communication means that communicates again after the encryption function employed encrypting and decrypting logic with the TCP of transport layer or UDP corresponding protocols; With the catenation sequence device, the communication counterpart whether the judgement communication counterpart has proper authority is connected with this communication counterpart afterwards, and described the 3rd communicator does not have the agreement device that described encryption and decryption logic is arranged, and it is characterized in that:

When described the 1st communicator and described the 2nd communication, judgement information according to described catenation sequence device, and communicate again after pair encrypting according to the encryption logic of described agreement device agreement with the payload of described TCP or the corresponding agreement of UDP

Simultaneously, when described the 1st communicator and described the 3rd communication, judgement information according to described catenation sequence device, decision sends after not according to the encryption logic of described agreement device agreement the payload of described TCP or udp protocol being encrypted again, do not follow the common TCP or the udp protocol of described encryption logic to communicate and select to utilize, perhaps do not carry out and the communicating by letter of described the 3rd communicator.

11. the communication means of claim 9 or 10 records, it is characterized in that: the encrypting and decrypting logical storage that can be used as the agreement candidate target that will arrange in described agreement step and regularly changes the content of the encrypting and decrypting logic of this storage in memory and even circuit.

12. the communication means of claim 9 or 10 records is characterized in that: in described agreement step, for the encrypting and decrypting logic, do not encrypt and can arrange to handle plain code.

13. the communication means of record in claim 9 or 10 is characterized in that: and then be included in described agreement step authentication communication the other side's step before.

14. one kind by to appending the communication means that authentication function communicates with TCP that is positioned at transport layer or the corresponding agreement of UDP, it is characterized in that, comprising:

Whether Connection Step is to be connected with communication counterpart after having the communication counterpart of proper authority using described TCP or udp protocol to judge communication counterpart;

Completeness authentication agreement step is in advance to arranging in the encrypting and decrypting logic of the two ends of communication line correspondence;

Agreement completeness authentication information additional step, according to the completeness authentication logic of arranging in the described completeness authentication agreement step to as sending again at least with behind the additional described completeness authentication information of the payload corresponding protocols of TCP or UDP in the packet of the unit of receiving and sending messages; With

Agreement completeness authenticating step, the completeness authentication logic of arranging according to described completeness authentication agreement step carries out the completeness authentication to the agreement of having added this completeness authentication information that receives,

When in Connection Step, judging communication counterpart and have, behind the described TCP or the additional described completeness authentication information of udp protocol that are positioned at described transport layer, communicate again just when authority.

15. communication means, judge that whether communication counterpart has the catenation sequence device that is connected with communication counterpart the communication counterpart of proper authority after and use described TCP or UDP carries out between the 1st and the 2nd communicator of completeness authentication agreement device of completeness authentication agreement or have described completeness authentication arranging the 1st or the 2nd communicator of device and do not have described completeness to authenticate between the 3rd communicator of arranging device and communicate by network, is characterized in that having the TCP that uses transport layer or UDP:

When described the 1st communicator that the completeness authentication protocol has been installed with when described the 2nd communication of completeness authentication protocol has been installed equally, judgement information according to described catenation sequence device, and the completeness authentication protocol of TCP that utilizes described completeness authentication agreement device to be used to handle to have added described completeness authentication information or UDP sends after handling again, when the described the 1st or the 2nd communicator that described completeness authentication protocol has been installed with when the 3rd communication of described completeness authentication protocol is not installed, described completeness authentication agreement device is according to the judgement information of described catenation sequence device, the not additional described completeness authentication information of decision, carry out again after the common protocol processes of common TCP or UDP and the communicating by letter of described the 3rd communicator and select to handle, perhaps do not carry out described completeness authentication agreement and also do not communicate with described the 3rd communicator.

16. the communication meanss of claim 14 or 15 records is characterized in that: and then have: the completeness authentication logic of additional completeness authentication information of being used for that can be used as candidate target that will arrange in described completeness authentication agreement step is stored in memory and even is installed in step in the circuit; And the completeness authentication logic change step that regularly changes this storage and even installation content.

17. the communication meanss of claim 14 or 15 records is characterized in that: in described completeness authentication agreement step, can determine not to carry out the additional of completeness authentication information by being used for the completeness authentication logic of additional completeness authentication information.

18. the communication means of claim 14 or 15 records is characterized in that: and then be included in described completeness authentication agreement step authentication communication the other side's step before.